svn commit: samba r13989 - in branches/SAMBA_3_0/source/rpc_parse: .

[jra at samba.org]

Author: jra
Date: 2006-03-07 20:52:43 +0000 (Tue, 07 Mar 2006)
New Revision: 13989

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13989

Log:
Fix for Coverity bug #45 and associated spoolss RPC_BUFFER
problems. Ensure that if the parse succeeds on UNMARSHALL
we have a valid (although possibly empty) RPC_BUFFER returned.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/rpc_parse/parse_buffer.c


Changeset:
Modified: branches/SAMBA_3_0/source/rpc_parse/parse_buffer.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_parse/parse_buffer.c	2006-03-07 20:52:34 UTC (rev 13988)
+++ branches/SAMBA_3_0/source/rpc_parse/parse_buffer.c	2006-03-07 20:52:43 UTC (rev 13989)
@@ -108,19 +108,34 @@
 
 	data_p = *buffer ? 0xf000baaa : 0;
 
-	if ( !prs_uint32("ptr", ps, depth, &data_p ))
+	if ( !prs_uint32("ptr", ps, depth, &data_p )) {
 		return False;
+	}
 
+	/* We must always return a valid buffer pointer even if the
+	   client didn't send one - just leave it initialized to null. */
+	if ( UNMARSHALLING(ps) ) {
+		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) {
+			return False;
+		}
+	}
+
 	/* we're done if there is no data */
 
-	if ( !data_p )
+	if (!data_p) {
+		if (UNMARSHALLING(ps)) {
+			RPC_BUFFER *pbuffer = *buffer;
+			/* On unmarshalling we must return a valid,
+			   but zero size value RPC_BUFFER. */
+			pbuffer->size = 0;
+			pbuffer->string_at_end = 0;
+			if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) {
+				return False;
+			}
+		}
 		return True;
+	}
 		
-	if ( UNMARSHALLING(ps) ) {
-		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) )
-			return False;
-	}
-
 	return prs_rpcbuffer( desc, ps, depth, *buffer);
 }