[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-3461-g3ac4c42
Jeremy Allison
jra at samba.org
Sat Feb 14 00:07:11 GMT 2009
The branch, v3-2-test has been updated
via 3ac4c42e1e5be2f25ef4602efa2ac360d8b603ce (commit)
from c604236558b0be1b8a8539c7823e22f8e5eea55b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 3ac4c42e1e5be2f25ef4602efa2ac360d8b603ce
Author: Jeremy Allison <jra at samba.org>
Date: Fri Feb 13 16:06:29 2009 -0800
Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure
that "offered" read from the rpc packet in spoolss is under
that size. Tidyup from analysis from Veracode.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/include/local.h | 3 ++
source/rpc_server/srv_pipe_hnd.c | 2 +-
source/rpc_server/srv_spoolss_nt.c | 52 ++++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/include/local.h b/source/include/local.h
index c125ded..45767ad 100644
--- a/source/include/local.h
+++ b/source/include/local.h
@@ -253,4 +253,7 @@
/* Windows minimum lock resolution timeout in ms */
#define WINDOWS_MINIMUM_LOCK_TIMEOUT_MS 200
+/* Maximum size of RPC data we will accept for one call. */
+#define MAX_RPC_DATA_SIZE (15*1024*1024)
+
#endif
diff --git a/source/rpc_server/srv_pipe_hnd.c b/source/rpc_server/srv_pipe_hnd.c
index 45f649d..1123ff8 100644
--- a/source/rpc_server/srv_pipe_hnd.c
+++ b/source/rpc_server/srv_pipe_hnd.c
@@ -601,7 +601,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
* will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
*/
- if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
+ if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) {
DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
(unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
set_incoming_fault(p);
diff --git a/source/rpc_server/srv_spoolss_nt.c b/source/rpc_server/srv_spoolss_nt.c
index 92f68ea..82fa677 100644
--- a/source/rpc_server/srv_spoolss_nt.c
+++ b/source/rpc_server/srv_spoolss_nt.c
@@ -4729,6 +4729,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -5086,6 +5090,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -5747,6 +5755,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -6820,6 +6832,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7196,6 +7212,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7263,6 +7283,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7671,6 +7695,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8080,6 +8108,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8707,6 +8739,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8786,6 +8822,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8914,6 +8954,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -9090,6 +9134,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -9731,6 +9779,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
--
Samba Shared Repository
More information about the samba-cvs
mailing list