Sophie

Sophie

distrib > Mandriva > 2007.1 > i586 > media > main-updates-src > by-pkgid > 76693df398623b56350d54a4ecd4c0d1 > files > 8

samba-3.0.24-2.7mdv2007.1.src.rpm

Index: source/rpc_parse/parse_prs.c
===================================================================
--- source/rpc_parse/parse_prs.c
+++ source/rpc_parse/parse_prs.c
@@ -644,7 +644,7 @@
 		return True;
 
 	if (UNMARSHALLING(ps)) {
-		if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
+		if ( !(*data = PRS_ALLOC_MEM(ps, char, data_size)) )
 			return False;
 	}
 
Index: source/rpc_parse/parse_sec.c
===================================================================
--- source/rpc_parse/parse_sec.c
+++ source/rpc_parse/parse_sec.c
@@ -165,13 +165,12 @@
		return False;

	if (UNMARSHALLING(ps)) {
-		/*
-		 * Even if the num_aces is zero, allocate memory as there's a difference
-		 * between a non-present DACL (allow all access) and a DACL with no ACE's
-		 * (allow no access).
-		 */
-		if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
-			return False;
+		if (psa->num_aces) {
+			if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
+				return False;
+		} else {
+			psa->ace = NULL;
+		}
	}

	for (i = 0; i < psa->num_aces; i++) {
Index: source/rpc_parse/parse_dfs.c
===================================================================
--- source/rpc_parse/parse_dfs.c
+++ source/rpc_parse/parse_dfs.c
@@ -325,7 +325,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			if (v->num_stores) {
+				v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+				if (!v->stores) {
+					return False;
+				}
+			} else {
+				v->stores = NULL;
+ 			}
		}
		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -447,7 +455,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+			if (v->num_stores) {
+				v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+				if (!v->stores) {
+					return False;
+				}
+			} else {
+				v->stores = NULL;
+ 			}
		}
		for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
			if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -920,7 +936,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+ 			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
@@ -986,7 +1009,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
@@ -1052,7 +1084,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
@@ -1118,7 +1158,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
@@ -1184,7 +1232,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
@@ -1250,7 +1306,14 @@
			return False;
		
		if (UNMARSHALLING(ps)) {
-			v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+			if (v->count) {
+				v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
+				if (!v->s) {
+					return False;
+				}
+			} else {
+				v->s = NULL;
+			}
		}
		for (i_s_1=0; i_s_1<v->count;i_s_1++) {
			if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
Index: source/rpc_parse/parse_lsa.c
===================================================================
--- source/rpc_parse/parse_lsa.c
+++ source/rpc_parse/parse_lsa.c
@@ -1356,12 +1356,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -1413,12 +1418,17 @@
 			       &trn->num_entries2))
 			return False;
 
+		if (trn->num_entries2 != trn->num_entries) {
+			/* RPC fault */
+			return False;
+		}
+
 		if (UNMARSHALLING(ps)) {
-			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 
-			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
 				return False;
 			}
 		}
@@ -2759,7 +2759,7 @@
 
 static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
 {
-	uint32 i;
+	uint32 i, dummy;
 
 	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
 	depth++;
@@ -2767,7 +2767,7 @@
 	if(!prs_align(ps))
 		return False;
  
-	if(!prs_uint32("count", ps, depth, &out->count))
+	if(!prs_uint32("count", ps, depth, &dummy))
 		return False;
 	if(!prs_uint32("control", ps, depth, &out->control))
 		return False;
Index: source/rpc_parse/parse_spoolss.c
===================================================================
--- source/rpc_parse/parse_spoolss.c
+++ source/rpc_parse/parse_spoolss.c
@@ -230,6 +230,10 @@
 	if (type->count2 != type->count)
 		DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
 
+	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
+		return False;
+	}
+
 	/* parse the option type data */
 	for(i=0;i<type->count2;i++)
 		if(!prs_uint16("fields",ps,depth,&type->fields[i]))
Index: source/include/smb_macros.h
===================================================================
--- source/include/smb_macros.h
+++ source/include/smb_macros.h
@@ -295,7 +295,6 @@
 #if defined(PARANOID_MALLOC_CHECKER)
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
 
 /* Get medieval on our ass about malloc.... */
 
@@ -334,7 +333,6 @@
 #else
 
 #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
 
 /* Regular malloc code. */

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional