[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha6-873-g4df9f18
Jeremy Allison
jra at samba.org
Sat Feb 14 00:08:10 GMT 2009
The branch, master has been updated
via 4df9f1860ed63ff88ee6c47596faa293cc9330bd (commit)
via 49b52ec16f8150d71a0ebfdd0a7067981fe5840a (commit)
from ca87726f81392e475ba86680a8735ee7d890c553 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4df9f1860ed63ff88ee6c47596faa293cc9330bd
Merge: 49b52ec16f8150d71a0ebfdd0a7067981fe5840a ca87726f81392e475ba86680a8735ee7d890c553
Author: Jeremy Allison <jra at samba.org>
Date: Fri Feb 13 16:07:07 2009 -0800
Merge branch 'master' of ssh://jra@git.samba.org/data/git/samba
commit 49b52ec16f8150d71a0ebfdd0a7067981fe5840a
Author: Jeremy Allison <jra at samba.org>
Date: Fri Feb 13 16:06:17 2009 -0800
Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure
that "offered" read from the rpc packet in spoolss is under
that size. Tidyup from analysis from Veracode.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/include/local.h | 3 ++
source3/rpc_server/srv_pipe_hnd.c | 2 +-
source3/rpc_server/srv_spoolss_nt.c | 52 +++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/local.h b/source3/include/local.h
index c125ded..45767ad 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -253,4 +253,7 @@
/* Windows minimum lock resolution timeout in ms */
#define WINDOWS_MINIMUM_LOCK_TIMEOUT_MS 200
+/* Maximum size of RPC data we will accept for one call. */
+#define MAX_RPC_DATA_SIZE (15*1024*1024)
+
#endif
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index 0804af7..6dead2d 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -426,7 +426,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
* will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
*/
- if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
+ if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) {
DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
(unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
set_incoming_fault(p);
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 7199441..ef02dcf 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -4683,6 +4683,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -5040,6 +5044,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -5701,6 +5709,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -6788,6 +6800,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7168,6 +7184,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7256,6 +7276,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -7665,6 +7689,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8076,6 +8104,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8710,6 +8742,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8789,6 +8825,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -8917,6 +8957,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -9093,6 +9137,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
@@ -9714,6 +9762,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC
return WERR_INVALID_PARAM;
}
+ if (offered > MAX_RPC_DATA_SIZE) {
+ return WERR_INVALID_PARAM;
+ }
+
rpcbuf_move(q_u->buffer, &r_u->buffer);
buffer = r_u->buffer;
--
Samba Shared Repository
More information about the samba-cvs
mailing list