Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure

that "offered" read from the rpc packet in spoolss is under
that size. Tidyup from analysis from Veracode.
Jeremy.

diff --git a/source3/include/local.h b/source3/include/local.h
index c125ded37130302ec54531e18846b2fbf74f2249..45767ad1c150dfffe99853ebbfc19e55d4038127 100644 (file)
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -253,4 +253,7 @@
 /* Windows minimum lock resolution timeout in ms */
 #define WINDOWS_MINIMUM_LOCK_TIMEOUT_MS 200
 
+/* Maximum size of RPC data we will accept for one call. */
+#define MAX_RPC_DATA_SIZE (15*1024*1024)
+
 #endif

diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index 0804af7ca9e4b6769f391ae5177e855b5419a17a..6dead2d26491ee38e9adf14e73b59b082effbc33 100644 (file)
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -426,7 +426,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
         * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
         */
        
-       if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
+       if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) {
                DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
                                (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
                set_incoming_fault(p);

diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 7199441820915e5d8e33082d345f0200a1ce70d0..ef02dcfa268a450bfc57d917d6b35c2bb50ae41e 100644 (file)
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -4683,6 +4683,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -5040,6 +5044,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -5701,6 +5709,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -6788,6 +6800,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -7168,6 +7184,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -7256,6 +7276,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -7665,6 +7689,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -8076,6 +8104,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -8710,6 +8742,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -8789,6 +8825,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -8917,6 +8957,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -9093,6 +9137,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;
 
@@ -9714,6 +9762,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC
                return WERR_INVALID_PARAM;
        }
 
+       if (offered > MAX_RPC_DATA_SIZE) {
+               return WERR_INVALID_PARAM;
+       }
+
        rpcbuf_move(q_u->buffer, &r_u->buffer);
        buffer = r_u->buffer;