Registry server: Fixes up the patch with "type" != NULL (used in "EnumValue" and...

This prevents the server to segfault if the input data type is NULL.

diff --git a/source4/lib/registry/ldb.c b/source4/lib/registry/ldb.c
index 95851dace097608e4fffd74e2cdf576578584773..8d02b3ce020454e730c0d0750e9994a35c88e22e 100644 (file)
--- a/source4/lib/registry/ldb.c
+++ b/source4/lib/registry/ldb.c
@@ -289,7 +289,7 @@ static WERROR ldb_get_subkey_by_id(TALLOC_CTX *mem_ctx,
 }
 
 static WERROR ldb_get_default_value(TALLOC_CTX *mem_ctx, struct hive_key *k,
-                                 const char** name, uint32_t *data_type,
+                                 const char **name, uint32_t *data_type,
                                   DATA_BLOB *data)
 {
        struct ldb_key_data *kd = talloc_get_type(k, struct ldb_key_data);
@@ -797,11 +797,12 @@ static WERROR ldb_get_key_info(TALLOC_CTX *mem_ctx,
                        }
 
                        if (max_valbufsize != NULL) {
+                               uint32_t data_type;
                                DATA_BLOB data;
                                reg_ldb_unpack_value(mem_ctx, 
                                                     lp_iconv_convenience(global_loadparm),
                                                     kd->values[i], NULL, 
-                                                    NULL, &data);
+                                                    &data_type, &data);
                                *max_valbufsize = MAX(*max_valbufsize, data.length);
                                talloc_free(data.data);
                        }

diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c
index 5cabae53a234c918ff17eb89e567fd3fee698859..69631b3a6656d1d276ba25024c9cfc5aed658096 100644 (file)
--- a/source4/rpc_server/winreg/rpc_winreg.c
+++ b/source4/rpc_server/winreg/rpc_winreg.c
@@ -278,7 +278,7 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call,
                data.length = *r->in.length;
        }
 
-       /* and enough room for the name */
+       /* check if there is enough room for the name */
        if (r->in.name->size < 2*strlen_m_term(data_name)) {
                return WERR_MORE_DATA;
        }
@@ -293,7 +293,11 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call,
        }
        r->out.name->size = r->in.name->size;
 
-       *r->out.value = data_type;
+       r->out.type = talloc(mem_ctx, uint32_t);
+       if (!r->out.type) {
+               return WERR_NOMEM;
+       }
+       *r->out.type = data_type;
 
        /* check the client has enough room for the value */
        if (r->in.value != NULL &&
@@ -484,7 +488,6 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call,
                        value_data.length = *r->in.length;
                }
 
-               /* Just asking for the size of the buffer */
                r->out.type = talloc(mem_ctx, uint32_t);
                if (!r->out.type) {
                        return WERR_NOMEM;