s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior.

Found by RPC-WINREG smbtorture test.

Guenther

diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c
index 15c79bea46a3e3444eef8140c7dcd5be4c7c00ff..5912322d93ff853921a7106f331e57bbef3c46b6 100644 (file)
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -230,12 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
        if ( !regkey )
                return WERR_BADFID;
 
-       if ((r->out.data_length == NULL) || (r->out.type == NULL)) {
+       if ((r->out.data_length == NULL) || (r->out.type == NULL) || (r->out.data_size == NULL)) {
                return WERR_INVALID_PARAM;
        }
 
-       *r->out.data_length = *r->out.type = REG_NONE;
-
        DEBUG(7,("_winreg_QueryValue: policy key name = [%s]\n", regkey->key->name));
        DEBUG(7,("_winreg_QueryValue: policy key type = [%08x]\n", regkey->key->type));
 
@@ -310,19 +308,18 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
                *r->out.type = val->type;
        }
 
-       *r->out.data_length = outbuf_size;
+       status = WERR_BADFILE;
 
-       if ( *r->in.data_size == 0 || !r->out.data ) {
-               status = WERR_OK;
-       } else if ( *r->out.data_length > *r->in.data_size ) {
-               status = WERR_MORE_DATA;
+       if (*r->in.data_size < outbuf_size) {
+               *r->out.data_size = outbuf_size;
+               status = r->in.data ? WERR_MORE_DATA : WERR_OK;
        } else {
-               memcpy( r->out.data, outbuf, *r->out.data_length );
+               *r->out.data_length = outbuf_size;
+               *r->out.data_size = outbuf_size;
+               memcpy(r->out.data, outbuf, outbuf_size);
                status = WERR_OK;
        }
 
-       *r->out.data_size = *r->out.data_length;
-
        if (free_prs) prs_mem_free(&prs_hkpd);
        if (free_buf) SAFE_FREE(outbuf);