The branch, master has been updated via cddc542... s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior. from 6441a5b... Explain why we don't use certain characters in the generated pw
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cddc542ba5f30316ff4ee8fa591a54808b7be4c8 Author: Günther Deschner <g...@samba.org> Date: Thu Mar 11 12:21:08 2010 +0100 s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior. Found by RPC-WINREG smbtorture test. Guenther ----------------------------------------------------------------------- Summary of changes: source3/rpc_server/srv_winreg_nt.c | 19 ++++++++----------- 1 files changed, 8 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c index 15c79be..5912322 100644 --- a/source3/rpc_server/srv_winreg_nt.c +++ b/source3/rpc_server/srv_winreg_nt.c @@ -230,12 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r) if ( !regkey ) return WERR_BADFID; - if ((r->out.data_length == NULL) || (r->out.type == NULL)) { + if ((r->out.data_length == NULL) || (r->out.type == NULL) || (r->out.data_size == NULL)) { return WERR_INVALID_PARAM; } - *r->out.data_length = *r->out.type = REG_NONE; - DEBUG(7,("_winreg_QueryValue: policy key name = [%s]\n", regkey->key->name)); DEBUG(7,("_winreg_QueryValue: policy key type = [%08x]\n", regkey->key->type)); @@ -310,19 +308,18 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r) *r->out.type = val->type; } - *r->out.data_length = outbuf_size; + status = WERR_BADFILE; - if ( *r->in.data_size == 0 || !r->out.data ) { - status = WERR_OK; - } else if ( *r->out.data_length > *r->in.data_size ) { - status = WERR_MORE_DATA; + if (*r->in.data_size < outbuf_size) { + *r->out.data_size = outbuf_size; + status = r->in.data ? WERR_MORE_DATA : WERR_OK; } else { - memcpy( r->out.data, outbuf, *r->out.data_length ); + *r->out.data_length = outbuf_size; + *r->out.data_size = outbuf_size; + memcpy(r->out.data, outbuf, outbuf_size); status = WERR_OK; } - *r->out.data_size = *r->out.data_length; - if (free_prs) prs_mem_free(&prs_hkpd); if (free_buf) SAFE_FREE(outbuf); -- Samba Shared Repository