Attachment #118834 for bug #177029

Lines 310-316 Link Here

(-)samba-3.0.24.orig/source/include/smb_macros.h (-2 lines)
310	#if defined(PARANOID_MALLOC_CHECKER)	310	#if defined(PARANOID_MALLOC_CHECKER)
311		311
312	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))	312	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
313	#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
314		313
315	/* Get medieval on our ass about malloc.... */	314	/* Get medieval on our ass about malloc.... */
316		315
Lines 354-360 Link Here
354	#define __location__ __FILE__ ":" __LINESTR__	353	#define __location__ __FILE__ ":" __LINESTR__
355		354
356	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))	355	#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
357	#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
358		356
359	/* Regular malloc code. */	357	/* Regular malloc code. */
360		358

Lines 325-331 Link Here

(-)samba-3.0.24.orig/source/rpc_parse/parse_dfs.c (-8 / +24 lines)
325	return False;	325	return False;
326		326
327	if (UNMARSHALLING(ps)) {	327	if (UNMARSHALLING(ps)) {
328	v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);	328	v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
		329	if (!v->stores)
		330	return False;
329	}	331	}
330	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {	332	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
331	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))	333	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
Lines 447-453 Link Here
447	return False;	449	return False;
448		450
449	if (UNMARSHALLING(ps)) {	451	if (UNMARSHALLING(ps)) {
450	v->stores = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->stores)*v->num_stores);	452	v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
		453	if (!v->stores)
		454	return False;
451	}	455	}
452	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {	456	for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
453	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))	457	if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
Lines 920-926 Link Here
920	return False;	924	return False;
921		925
922	if (UNMARSHALLING(ps)) {	926	if (UNMARSHALLING(ps)) {
923	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	927	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
		928	if (!v->s)
		929	return False;
924	}	930	}
925	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	931	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
926	if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))	932	if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
Lines 986-992 Link Here
986	return False;	992	return False;
987		993
988	if (UNMARSHALLING(ps)) {	994	if (UNMARSHALLING(ps)) {
989	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	995	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
		996	if (!v->s)
		997	return False;
990	}	998	}
991	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	999	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
992	if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))	1000	if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
Lines 1052-1058 Link Here
1052	return False;	1060	return False;
1053		1061
1054	if (UNMARSHALLING(ps)) {	1062	if (UNMARSHALLING(ps)) {
1055	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	1063	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
		1064	if (!v->s)
		1065	return False;
1056	}	1066	}
1057	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	1067	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
1058	if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))	1068	if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
Lines 1118-1124 Link Here
1118	return False;	1128	return False;
1119		1129
1120	if (UNMARSHALLING(ps)) {	1130	if (UNMARSHALLING(ps)) {
1121	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	1131	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
		1132	if (!v->s)
		1133	return False;
1122	}	1134	}
1123	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	1135	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
1124	if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))	1136	if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
Lines 1184-1190 Link Here
1184	return False;	1196	return False;
1185		1197
1186	if (UNMARSHALLING(ps)) {	1198	if (UNMARSHALLING(ps)) {
1187	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	1199	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
		1200	if (!v->s)
		1201	return False;
1188	}	1202	}
1189	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	1203	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
1190	if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))	1204	if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
Lines 1250-1256 Link Here
1250	return False;	1264	return False;
1251		1265
1252	if (UNMARSHALLING(ps)) {	1266	if (UNMARSHALLING(ps)) {
1253	v->s = (void )PRS_ALLOC_MEM_VOID(ps,sizeof(v->s)*v->count);	1267	v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
		1268	if (!v->s)
		1269	return False;
1254	}	1270	}
1255	for (i_s_1=0; i_s_1<v->count;i_s_1++) {	1271	for (i_s_1=0; i_s_1<v->count;i_s_1++) {
1256	if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))	1272	if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))

Lines 1349-1360 Link Here

(-)samba-3.0.24.orig/source/rpc_parse/parse_lsa.c (-6 / +16 lines)
1349	&trn->num_entries2))	1349	&trn->num_entries2))
1350	return False;	1350	return False;
1351		1351
		1352	if (trn->num_entries2 != trn->num_entries) {
		1353	/* RPC fault */
		1354	return False;
		1355	}
		1356
1352	if (UNMARSHALLING(ps)) {	1357	if (UNMARSHALLING(ps)) {
1353	if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {	1358	if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
1354	return False;	1359	return False;
1355	}	1360	}
1356		1361
1357	if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {	1362	if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
1358	return False;	1363	return False;
1359	}	1364	}
1360	}	1365	}
Lines 1406-1417 Link Here
1406	&trn->num_entries2))	1411	&trn->num_entries2))
1407	return False;	1412	return False;
1408		1413
		1414	if (trn->num_entries2 != trn->num_entries) {
		1415	/* RPC fault */
		1416	return False;
		1417	}
		1418
1409	if (UNMARSHALLING(ps)) {	1419	if (UNMARSHALLING(ps)) {
1410	if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {	1420	if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
1411	return False;	1421	return False;
1412	}	1422	}
1413		1423
1414	if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {	1424	if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
1415	return False;	1425	return False;
1416	}	1426	}
1417	}	1427	}
Lines 2759-2765 Link Here
2759		2769
2760	static BOOL lsa_io_privilege_set(const char desc, PRIVILEGE_SET out, prs_struct *ps, int depth)	2770	static BOOL lsa_io_privilege_set(const char desc, PRIVILEGE_SET out, prs_struct *ps, int depth)
2761	{	2771	{
2762	uint32 i;	2772	uint32 i, dummy;
2763		2773
2764	prs_debug(ps, depth, desc, "lsa_io_privilege_set");	2774	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
2765	depth++;	2775	depth++;
Lines 2767-2773 Link Here
2767	if(!prs_align(ps))	2777	if(!prs_align(ps))
2768	return False;	2778	return False;
2769		2779
2770	if(!prs_uint32("count", ps, depth, &out->count))	2780	if(!prs_uint32("count", ps, depth, &dummy))
2771	return False;	2781	return False;
2772	if(!prs_uint32("control", ps, depth, &out->control))	2782	if(!prs_uint32("control", ps, depth, &out->control))
2773	return False;	2783	return False;

Lines 156-162 Link Here

(-)samba-3.0.24.orig/source/rpc_parse/parse_prs.c (-2 / +2 lines)
156	{	156	{
157	char *ret = NULL;	157	char *ret = NULL;
158		158
159	if (size) {	159	if (size && count) {
160	/* We can't call the type-safe version here. */	160	/* We can't call the type-safe version here. */
161	ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");	161	ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
162	}	162	}
Lines 642-648 Link Here
642	return True;	642	return True;
643		643
644	if (UNMARSHALLING(ps)) {	644	if (UNMARSHALLING(ps)) {
645	if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )	645	if ( !(data = (void )PRS_ALLOC_MEM(ps, char, data_size)) )
646	return False;	646	return False;
647	}	647	}
648		648




 for you as it reads them.
********************************************************************/

static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
{
	unsigned int i;
	uint32 old_offset;

		return False;

	if (UNMARSHALLING(ps)) {
		if (psa->num_aces) {
			if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
				return False;
		}
		 */
		if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
			return False;
	}

	for (i = 0; i < psa->num_aces; i++) {

Lines 227-234 Link Here

(-)samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c (-1 / +6 lines)
227	if(!prs_uint32("count2", ps, depth, &type->count2))	227	if(!prs_uint32("count2", ps, depth, &type->count2))
228	return False;	228	return False;
229		229
230	if (type->count2 != type->count)	230	if (type->count2 != type->count) {
231	DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));	231	DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
		232	return False;
		233	}
		234	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
		235	return False;
		236	}
232		237
233	/* parse the option type data */	238	/* parse the option type data */
234	for(i=0;i<type->count2;i++)	239	for(i=0;i<type->count2;i++)

Return to bug 177029

Lines 122-128 Link Here

(-)samba-3.0.24.orig/source/rpc_parse/parse_sec.c (-8 / +5 lines)
122	for you as it reads them.	122	for you as it reads them.
123	********************************************************************/	123	********************************************************************/
124		124
125	BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)	125	static BOOL sec_io_acl(const char desc, SEC_ACL ppsa, prs_struct ps, int depth)
126	{	126	{
127	unsigned int i;	127	unsigned int i;
128	uint32 old_offset;	128	uint32 old_offset;
Lines 165-177 Link Here
165	return False;	165	return False;
166		166
167	if (UNMARSHALLING(ps)) {	167	if (UNMARSHALLING(ps)) {
168	/*	168	if (psa->num_aces) {
169	* Even if the num_aces is zero, allocate memory as there's a difference	169	if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
170	* between a non-present DACL (allow all access) and a DACL with no ACE's	170	return False;
171	* (allow no access).	171	}
172	*/
173	if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
174	return False;
175	}	172	}
176		173
177	for (i = 0; i < psa->num_aces; i++) {	174	for (i = 0; i < psa->num_aces; i++) {