[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Thu Mar 11 05:09:31 MST 2010
The branch, master has been updated
via cddc542... s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior.
from 6441a5b... Explain why we don't use certain characters in the generated pw
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cddc542ba5f30316ff4ee8fa591a54808b7be4c8
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 11 12:21:08 2010 +0100
s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior.
Found by RPC-WINREG smbtorture test.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_server/srv_winreg_nt.c | 19 ++++++++-----------
1 files changed, 8 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c
index 15c79be..5912322 100644
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -230,12 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
if ( !regkey )
return WERR_BADFID;
- if ((r->out.data_length == NULL) || (r->out.type == NULL)) {
+ if ((r->out.data_length == NULL) || (r->out.type == NULL) || (r->out.data_size == NULL)) {
return WERR_INVALID_PARAM;
}
- *r->out.data_length = *r->out.type = REG_NONE;
-
DEBUG(7,("_winreg_QueryValue: policy key name = [%s]\n", regkey->key->name));
DEBUG(7,("_winreg_QueryValue: policy key type = [%08x]\n", regkey->key->type));
@@ -310,19 +308,18 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
*r->out.type = val->type;
}
- *r->out.data_length = outbuf_size;
+ status = WERR_BADFILE;
- if ( *r->in.data_size == 0 || !r->out.data ) {
- status = WERR_OK;
- } else if ( *r->out.data_length > *r->in.data_size ) {
- status = WERR_MORE_DATA;
+ if (*r->in.data_size < outbuf_size) {
+ *r->out.data_size = outbuf_size;
+ status = r->in.data ? WERR_MORE_DATA : WERR_OK;
} else {
- memcpy( r->out.data, outbuf, *r->out.data_length );
+ *r->out.data_length = outbuf_size;
+ *r->out.data_size = outbuf_size;
+ memcpy(r->out.data, outbuf, outbuf_size);
status = WERR_OK;
}
- *r->out.data_size = *r->out.data_length;
-
if (free_prs) prs_mem_free(&prs_hkpd);
if (free_buf) SAFE_FREE(outbuf);
--
Samba Shared Repository
More information about the samba-cvs
mailing list