s4:winreg RPC - fix up the "QueryValue" call to work against the enhanced torture...

author Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>

Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)

committer Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>

Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)
author Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)
committer Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)
diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c

index c12c0c52e7bccecca3ba7aabd376ba7c1fd53d6e..7a33a88e0db46b45e21c0280cb5418b155d8ce32 100644 (file)
--- a/source4/rpc_server/winreg/rpc_winreg.c
+++ b/source4/rpc_server/winreg/rpc_winreg.c
@@ -491,19 +491,23 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call,
         case SECURITY_SYSTEM:
         case SECURITY_ADMINISTRATOR:
         case SECURITY_USER:
+               if ((r->in.type == NULL) || (r->in.data_length == NULL) ||
+                   (r->in.data_size == NULL)) {
+                       return WERR_INVALID_PARAM;
+               }
+
                 result = reg_key_get_value_by_name(mem_ctx, key, 
                          r->in.value_name->name, &value_type, &value_data);
                 
                 if (!W_ERROR_IS_OK(result)) {
                         /* if the lookup wasn't successful, send client query back */
-                       value_type = 0;
-                       if (r->in.type != NULL) {
-                               value_type = *r->in.type;
-                       }
+                       value_type = *r->in.type;
                         value_data.data = r->in.data;
-                       value_data.length = 0;
-                       if (r->in.data_length != NULL) {
-                               value_data.length = *r->in.data_length;
+                       value_data.length = *r->in.data_length;
+               } else {
+                       if ((r->in.data != NULL)
+                           && (*r->in.data_size < value_data.length)) {
+                               return WERR_MORE_DATA;
                         }
                 }
author	Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
	Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)
committer	Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
	Wed, 10 Mar 2010 18:49:25 +0000 (19:49 +0100)