r4490: when implementing one rpc server call in terms of another call, you

must zero r.out before making the 2nd call if the 2nd call has any
non-ref out parameters. This is needed for the case where the 2nd call
fails, and the 1st call would then fill in its out fields based on
uninitialised memory.

diff --git a/source/rpc_server/samr/dcesrv_samr.c b/source/rpc_server/samr/dcesrv_samr.c
index 3650c904a3df713b289727bbcba0e5b9f4504d45..92de6fe402393b464d6fa72fc1045c2d6c274bc2 100644 (file)
--- a/source/rpc_server/samr/dcesrv_samr.c
+++ b/source/rpc_server/samr/dcesrv_samr.c
@@ -3306,6 +3306,7 @@ static NTSTATUS samr_QueryUserInfo2(struct dcesrv_call_state *dce_call, TALLOC_C
        struct samr_QueryUserInfo r1;
        NTSTATUS status;
 
+       ZERO_STRUCT(r1.out);
        r1.in.user_handle = r->in.user_handle;
        r1.in.level  = r->in.level;
        
@@ -3321,7 +3322,7 @@ static NTSTATUS samr_QueryUserInfo2(struct dcesrv_call_state *dce_call, TALLOC_C
   samr_QueryDisplayInfo2 
 */
 static NTSTATUS samr_QueryDisplayInfo2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                      struct samr_QueryDisplayInfo2 *r)
+                                      struct samr_QueryDisplayInfo2 *r)
 {
        struct samr_QueryDisplayInfo q;
        NTSTATUS result;
@@ -3331,6 +3332,7 @@ static NTSTATUS samr_QueryDisplayInfo2(struct dcesrv_call_state *dce_call, TALLO
        q.in.start_idx = r->in.start_idx;
        q.in.max_entries = r->in.max_entries;
        q.in.buf_size = r->in.buf_size;
+       ZERO_STRUCT(q.out);
 
        result = samr_QueryDisplayInfo(dce_call, mem_ctx, &q);