coding volunteers needed for msrpc server-side API conversion
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Jan 27 20:06:35 GMT 2000
On Thu, 27 Jan 2000, Elrond wrote:
> On Fri, Jan 28, 2000 at 06:39:46AM +1100, Luke Kenneth Casson Leighton wrote:
> > > In cli_*.c we do:
> > >
> > > xxx_xxx(const foo in, foo **out)
> > > xxx_make_q_xxx(in) /* this one dups all the neccessary things */
> >
> > elrond,
> > k
> > thi is not acceptable for the SPOOLSS functions, which pass in a
> > stupid-wasted buffer as an [in out] parameter.
>
> Well, that sounds like spoolss isn't doing _any_ dynamic
> memory, so there isn't really a conflict / problem here.
strictly speaking? you're right. the malloc / freeing is being done by
the marshalling /. unmarshalling code.
however, jean-francois' implementation does (and ignores the unmarshalled
BUFFER*)
> All my arguments are for dynamic memory only. For the rest,
> there's no need to dup() things.
the static-sized structures? correct.
even for the dynamic memory ones, it's not _really_ ok to dup() an list or
array structure, when it could be a megabyte of contiguous memory.
>
>
> > the buffer size could potentiallly be several megabytes in size. NT has a
> > hard-limit of 5mb on dce/rpc data and a hard-limit of unknown size in
> > SPOOLLSS but they got it wrong. [if you send a request with 1mb of
> > spoolss data you will terminate spoolss.exe].
>
> That pretty sounds like DoS in nt... are they aware of
> that / is anyone doing anything about it?
yes, i don't think they really got it though, and i lost the repro code by
deleting it by mistake.
nggg!
More information about the samba-technical
mailing list