Index: samba-3.0.24/source/include/smb_macros.h =================================================================== --- samba-3.0.24.orig/source/include/smb_macros.h 2007-05-10 09:47:34.000000000 -0500 +++ samba-3.0.24/source/include/smb_macros.h 2007-05-10 09:48:03.000000000 -0500 @@ -310,7 +310,6 @@ #if defined(PARANOID_MALLOC_CHECKER) #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count)) -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1) /* Get medieval on our ass about malloc.... */ @@ -354,7 +353,6 @@ #define __location__ __FILE__ ":" __LINESTR__ #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count)) -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1) /* Regular malloc code. */ Index: samba-3.0.24/source/rpc_parse/parse_dfs.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-05-10 09:47:28.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-10 09:48:03.000000000 -0500 @@ -325,7 +325,9 @@ return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) + return False; } for (i_stores_1=0; i_stores_1num_stores;i_stores_1++) { if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) @@ -447,7 +449,9 @@ return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) + return False; } for (i_stores_1=0; i_stores_1num_stores;i_stores_1++) { if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) @@ -920,7 +924,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth)) @@ -986,7 +992,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth)) @@ -1052,7 +1060,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth)) @@ -1118,7 +1128,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth)) @@ -1184,7 +1196,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth)) @@ -1250,7 +1264,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth)) Index: samba-3.0.24/source/rpc_parse/parse_lsa.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:14.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:58.000000000 -0500 @@ -1349,12 +1349,17 @@ &trn->num_entries2)) return False; + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -1406,12 +1411,17 @@ &trn->num_entries2)) return False; + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -2759,7 +2769,7 @@ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth) { - uint32 i; + uint32 i, dummy; prs_debug(ps, depth, desc, "lsa_io_privilege_set"); depth++; @@ -2767,7 +2777,7 @@ if(!prs_align(ps)) return False; - if(!prs_uint32("count", ps, depth, &out->count)) + if(!prs_uint32("count", ps, depth, &dummy)) return False; if(!prs_uint32("control", ps, depth, &out->control)) return False; Index: samba-3.0.24/source/rpc_parse/parse_prs.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-10 09:47:19.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-10 09:48:03.000000000 -0500 @@ -156,7 +156,7 @@ { char *ret = NULL; - if (size) { + if (size && count) { /* We can't call the type-safe version here. */ ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs"); } @@ -642,7 +642,7 @@ return True; if (UNMARSHALLING(ps)) { - if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) ) + if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) ) return False; } Index: samba-3.0.24/source/rpc_parse/parse_sec.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2007-05-10 09:47:22.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-10 09:48:01.000000000 -0500 @@ -122,7 +122,7 @@ for you as it reads them. ********************************************************************/ -BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) +static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) { unsigned int i; uint32 old_offset; @@ -165,13 +165,10 @@ return False; if (UNMARSHALLING(ps)) { - /* - * Even if the num_aces is zero, allocate memory as there's a difference - * between a non-present DACL (allow all access) and a DACL with no ACE's - * (allow no access). - */ - if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL) - return False; + if (psa->num_aces) { + if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL) + return False; + } } for (i = 0; i < psa->num_aces; i++) { Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-05-10 09:47:16.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-10 09:48:00.000000000 -0500 @@ -227,8 +227,13 @@ if(!prs_uint32("count2", ps, depth, &type->count2)) return False; - if (type->count2 != type->count) + if (type->count2 != type->count) { DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2)); + return False; + } + if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) { + return False; + } /* parse the option type data */ for(i=0;icount2;i++)