Don't core dump listing thousands of users in usrmgr.

Jeremy.

diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index e6fc66b67291aa86518273ff6db545a3bb8fa10b..af02a97769216e4ea057529cbdf1109b8625662b 100644 (file)
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -577,16 +577,21 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p, LSA_Q_LOOKUP_SIDS *q_u, LSA_R_LOOKUP_
        ref = (DOM_R_REF *)talloc_zero(p->mem_ctx, sizeof(DOM_R_REF));
        names = (LSA_TRANS_NAME_ENUM *)talloc_zero(p->mem_ctx, sizeof(LSA_TRANS_NAME_ENUM));
 
-       if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
-               return NT_STATUS_INVALID_HANDLE;
+       if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) {
+               r_u->status = NT_STATUS_INVALID_HANDLE;
+               goto done;
+       }
 
        /* check if the user have enough rights */
-       if (!(handle->access & POLICY_LOOKUP_NAMES))
-               return NT_STATUS_ACCESS_DENIED;
-
+       if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+               r_u->status = NT_STATUS_ACCESS_DENIED;
+               goto done;
+       }
        if (!ref || !names)
                return NT_STATUS_NO_MEMORY;
 
+done:
+
        /* set up the LSA Lookup SIDs response */
        init_lsa_trans_names(p->mem_ctx, ref, names, num_entries, sid, &mapped_count);
        init_reply_lookup_sids(r_u, ref, names, mapped_count);
@@ -615,16 +620,22 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
        ref = (DOM_R_REF *)talloc_zero(p->mem_ctx, sizeof(DOM_R_REF));
        rids = (DOM_RID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_RID2)*num_entries);
 
-       if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
-               return NT_STATUS_INVALID_HANDLE;
+       if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) {
+               r_u->status = NT_STATUS_INVALID_HANDLE;
+               goto done;
+       }
 
        /* check if the user have enough rights */
-       if (!(handle->access & POLICY_LOOKUP_NAMES))
-               return NT_STATUS_ACCESS_DENIED;
+       if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+               r_u->status = NT_STATUS_ACCESS_DENIED;
+               goto done;
+       }
 
        if (!ref || !rids)
                return NT_STATUS_NO_MEMORY;
 
+done:
+
        /* set up the LSA Lookup RIDs response */
        init_lsa_rid2s(ref, rids, num_entries, names, &mapped_count, p->endian);
        init_reply_lookup_names(r_u, ref, num_entries, rids, mapped_count);

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index e47619eb74cce9d9522f88ecb99a8bfdc2d67d3d..c83f6b3d8db57f1becdecf189fbd84c209ed0599 100644 (file)
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -972,10 +972,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_
        }
 
        /* calculate the size and limit on the number of entries we will return */
-       temp_size=(enum_context+max_entries)*struct_size;
+       temp_size=max_entries*struct_size;
        
        if (temp_size>max_size) {
-               max_entries=max_size/struct_size;
+               max_entries=MIN((max_size/struct_size),max_entries);;
                DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries));
        }