[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-927-gd8a6ea8

[Jeremy Allison]

On Wed, Apr 08, 2009 at 04:24:54PM -0500, Günther Deschner wrote:
> The branch, master has been updated
>        via  d8a6ea8141fba4876b6674806b629748ecf41876 (commit)
>       from  ccd293ba0e7eede1115c6f2f7de36bc38b59c02f (commit)
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit d8a6ea8141fba4876b6674806b629748ecf41876
> Author: Günther Deschner <gd at samba.org>
> Date:   Wed Apr 8 23:21:41 2009 +0200
> 
>     s3-svcctl: Fix _svcctl_EnumServicesStatusW (again).
>     
>     The final plan is to use the same macro based code that we have in spoolss to
>     handle the buffers and calculate the buffer-sizes.
>     
>     Guenther
> 
> -----------------------------------------------------------------------
> 
> Summary of changes:
>  source3/rpc_server/srv_svcctl_nt.c |    4 +---
>  1 files changed, 1 insertions(+), 3 deletions(-)
> 
> 
> Changeset truncated at 500 lines:
> 
> diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
> index ddfe0df..1850dcb 100644
> --- a/source3/rpc_server/srv_svcctl_nt.c
> +++ b/source3/rpc_server/srv_svcctl_nt.c
> @@ -466,9 +466,7 @@ WERROR _svcctl_EnumServicesStatusW(pipes_struct *p,
>  		}
>  
>  		blob = ndr_push_blob(ndr);
> -		if (blob.length >= r->in.offered) {
> -			memcpy(r->out.service, blob.data, r->in.offered);
> -		}
> +		memcpy(r->out.service, blob.data, r->in.offered);
>  	}

Ok, I know I'm paranoid (I should be I suppose) but this
looks like it might be a valgring uninitialized read in
the making.

I know that r->out.service has been allocated with
the size r->in.offered ('cos I looked in the auto-generated
code) so I know we're safe from buffer overrun. But Can't
blob.length be less than r->in.offered here, in which case
we're reading uninitialized memory off the end of blob.data ?

Please correct me :-).

Jeremy.