coding volunteers needed for msrpc server-side API conversion

Luke Kenneth Casson Leighton lkcl at
Thu Jan 27 20:06:35 GMT 2000

On Thu, 27 Jan 2000, Elrond wrote:

> On Fri, Jan 28, 2000 at 06:39:46AM +1100, Luke Kenneth Casson Leighton wrote:
> > > In cli_*.c we do:
> > > 
> > > xxx_xxx(const foo in, foo **out)
> > > 	xxx_make_q_xxx(in) /* this one dups all the neccessary things */
> > 
> > elrond,
> > k
> > thi is not acceptable for the SPOOLSS functions, which pass in a
> > stupid-wasted buffer as an [in out] parameter.
> Well, that sounds like spoolss isn't doing _any_ dynamic
> memory, so there isn't really a conflict / problem here.

strictly speaking?   you're right.  the malloc / freeing is being done by
the marshalling /. unmarshalling code.

however, jean-francois' implementation does (and ignores the unmarshalled

> All my arguments are for dynamic memory only. For the rest,
> there's no need to dup() things.

the static-sized structures? correct.

even for the dynamic memory ones, it's not _really_ ok to dup() an list or
array structure, when it could be a megabyte of contiguous memory.

> > the buffer size could potentiallly be several megabytes in size.  NT has a
> > hard-limit of 5mb on dce/rpc data and a hard-limit of unknown size in
> > SPOOLLSS but they got it wrong.  [if you send a request with 1mb of
> > spoolss data you will terminate spoolss.exe].
> That pretty sounds like DoS in nt... are they aware of
> that / is anyone doing anything about it?

yes, i don't think they really got it though, and i lost the repro code by
deleting it by mistake.


More information about the samba-technical mailing list