Never free anything in the rpc_parse/prs_XXX functions. Do it in the enclosing

function.
lib/util_unistr.c: Check lengths *before* reading source - prevent uninitialised
memory reads.
Jeremy.
(This used to be commit ce4f461965c872fbfc9fe5f6b98aed58bb3dd67a)

diff --git a/source3/lib/util_unistr.c b/source3/lib/util_unistr.c
index 5e86d5db0b1cc7a4d1bf8d903429ea76874addb7..259b44e2002a732f71f539bf1ff23d7908d1f109 100644 (file)
--- a/source3/lib/util_unistr.c
+++ b/source3/lib/util_unistr.c
@@ -300,7 +300,7 @@ void unistr2_to_ascii(char *dest, const UNISTR2 *str, size_t maxlen)
                return;
        }
 
-       for (p = dest; *src && p-dest < len; src++) {
+       for (p = dest; (p-dest < len) && *src; src++) {
                uint16 ucs2_val = SVAL(src,0);
                uint16 cp_val = ucs2_to_doscp[ucs2_val];
 
@@ -341,7 +341,7 @@ char *dos_buffer2_to_str(BUFFER2 *str)
 
        nexti = (nexti+1)%8;
 
-       for (p = lbuf; *src && p-lbuf < max_size; src++) {
+       for (p = lbuf; (p-lbuf < max_size) && *src; src++) {
                uint16 ucs2_val = SVAL(src,0);
                uint16 cp_val = ucs2_to_doscp[ucs2_val];
 
@@ -405,7 +405,7 @@ size_t dos_struni2(char *dst, const char *src, size_t max_len)
                return 0;
 
        if (src != NULL) {
-               for (; *src && len < max_len-2; len++, dst +=2) {
+               for (; (len < max_len-2) && *src; len++, dst +=2) {
                        size_t skip = get_character_len(*src);
                        smb_ucs2_t val = (*src & 0xff);
 
@@ -444,7 +444,7 @@ char *dos_unistr(char *buf)
 
        nexti = (nexti+1)%8;
 
-       for (p = lbuf; *src && p-lbuf < MAXUNI-3; src++) {
+       for (p = lbuf; (p-lbuf < MAXUNI-3) && *src; src++) {
                uint16 ucs2_val = SVAL(src,0);
                uint16 cp_val = ucs2_to_doscp[ucs2_val];
 
@@ -712,7 +712,7 @@ static char *unicode_to_multibyte(char *dst, const smb_ucs2_t *src,
 {
        size_t dst_pos;
 
-       for(dst_pos = 0; *src && (dst_pos < dst_len - 1);) {
+       for(dst_pos = 0; (dst_pos < dst_len - 1) && *src;) {
                smb_ucs2_t val = ucs2_to_cp[*src++];
                if(val < 256) {
                        dst[dst_pos++] = (char)val;

diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c
index 41219854d1dfeabb76f03ac8489c7c34fa3ef5ba..2c15166f2651d3854685a8ebd1a94e725c7b0884 100644 (file)
--- a/source3/rpc_parse/parse_lsa.c
+++ b/source3/rpc_parse/parse_lsa.c
@@ -853,16 +853,6 @@ static BOOL lsa_io_trans_names(char *desc, LSA_TRANS_NAME_ENUM *trn,
                        if(!prs_align(ps))
                                return False;
                }
-
-               /* Free memory if we've sent it */
-
-               if (MARSHALLING(ps)) {
-                       safe_free(trn->name);
-                       safe_free(trn->uni_name);
-
-                       trn->name = NULL;
-                       trn->uni_name = NULL;
-               }
        }
 
        return True;

diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index 5fc40d692cd68e3c8ebd0b7d4ecb3beb2dec83b8..ed65e787b48a31bbdb6450a5559db150130e80c5 100644 (file)
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -276,7 +276,7 @@ static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
  Init lsa_trans_names.
  ***************************************************************************/
 
-static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
+static void init_lsa_trans_names(TALLOC_CTX *ctx, DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
                                 int num_entries, DOM_SID2 *sid,
                                 uint32 *mapped_count)
 {
@@ -286,16 +286,18 @@ static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
 
        /* Allocate memory for list of names */
 
-       if (!(trn->name = (LSA_TRANS_NAME *)malloc(sizeof(LSA_TRANS_NAME) *
-                                                 num_entries))) {
-               DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
-               return;
-       }
+       if (num_entries > 0) {
+               if (!(trn->name = (LSA_TRANS_NAME *)talloc(ctx, sizeof(LSA_TRANS_NAME) *
+                                                         num_entries))) {
+                       DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
+                       return;
+               }
 
-       if (!(trn->uni_name = (UNISTR2 *)malloc(sizeof(UNISTR2) * 
-                                               num_entries))) {
-               DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
-               return;
+               if (!(trn->uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2) * 
+                                                       num_entries))) {
+                       DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
+                       return;
+               }
        }
 
        for (i = 0; i < num_entries; i++) {
@@ -375,21 +377,24 @@ static BOOL lsa_reply_lookup_sids(prs_struct *rdata, DOM_SID2 *sid, int num_entr
        DOM_R_REF ref;
        LSA_TRANS_NAME_ENUM names;
        uint32 mapped_count = 0;
+       TALLOC_CTX *ctx = talloc_init();
 
        ZERO_STRUCT(r_l);
        ZERO_STRUCT(ref);
        ZERO_STRUCT(names);
 
        /* set up the LSA Lookup SIDs response */
-       init_lsa_trans_names(&ref, &names, num_entries, sid, &mapped_count);
+       init_lsa_trans_names(ctx, &ref, &names, num_entries, sid, &mapped_count);
        init_reply_lookup_sids(&r_l, &ref, &names, mapped_count);
 
        /* store the response in the SMB stream */
        if(!lsa_io_r_lookup_sids("", &r_l, rdata, 0)) {
                DEBUG(0,("lsa_reply_lookup_sids: Failed to marshall LSA_R_LOOKUP_SIDS.\n"));
+               talloc_destroy(ctx);
                return False;
        }
 
+       talloc_destroy(ctx);
        return True;
 }