[SCM] Samba Shared Repository - branch master updated

Günther Deschner Thu, 11 Mar 2010 04:09:30 -0800

The branch, master has been updated
       via  cddc542... s3-winreg: Fix _winreg_QueryValue crash bugs and 
implement windows behavior.
      from  6441a5b... Explain why we don't use certain characters in the 
generated pw


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cddc542ba5f30316ff4ee8fa591a54808b7be4c8
Author: GÃ¼nther Deschner <g...@samba.org>
Date:   Thu Mar 11 12:21:08 2010 +0100

    s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior.
    
    Found by RPC-WINREG smbtorture test.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_winreg_nt.c |   19 ++++++++-----------
 1 files changed, 8 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_winreg_nt.c 
b/source3/rpc_server/srv_winreg_nt.c
index 15c79be..5912322 100644
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -230,12 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct 
winreg_QueryValue *r)
        if ( !regkey )
                return WERR_BADFID;
 
-       if ((r->out.data_length == NULL) || (r->out.type == NULL)) {
+       if ((r->out.data_length == NULL) || (r->out.type == NULL) || 
(r->out.data_size == NULL)) {
                return WERR_INVALID_PARAM;
        }
 
-       *r->out.data_length = *r->out.type = REG_NONE;
-
        DEBUG(7,("_winreg_QueryValue: policy key name = [%s]\n", 
regkey->key->name));
        DEBUG(7,("_winreg_QueryValue: policy key type = [%08x]\n", 
regkey->key->type));
 
@@ -310,19 +308,18 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct 
winreg_QueryValue *r)
                *r->out.type = val->type;
        }
 
-       *r->out.data_length = outbuf_size;
+       status = WERR_BADFILE;
 
-       if ( *r->in.data_size == 0 || !r->out.data ) {
-               status = WERR_OK;
-       } else if ( *r->out.data_length > *r->in.data_size ) {
-               status = WERR_MORE_DATA;
+       if (*r->in.data_size < outbuf_size) {
+               *r->out.data_size = outbuf_size;
+               status = r->in.data ? WERR_MORE_DATA : WERR_OK;
        } else {
-               memcpy( r->out.data, outbuf, *r->out.data_length );
+               *r->out.data_length = outbuf_size;
+               *r->out.data_size = outbuf_size;
+               memcpy(r->out.data, outbuf, outbuf_size);
                status = WERR_OK;
        }
 
-       *r->out.data_size = *r->out.data_length;
-
        if (free_prs) prs_mem_free(&prs_hkpd);
        if (free_buf) SAFE_FREE(outbuf);
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to