[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-927-gd8a6ea8
Jeremy Allison
jra at samba.org
Fri Apr 10 19:34:30 GMT 2009
On Wed, Apr 08, 2009 at 04:24:54PM -0500, Günther Deschner wrote:
> The branch, master has been updated
> via d8a6ea8141fba4876b6674806b629748ecf41876 (commit)
> from ccd293ba0e7eede1115c6f2f7de36bc38b59c02f (commit)
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -----------------------------------------------------------------
> commit d8a6ea8141fba4876b6674806b629748ecf41876
> Author: Günther Deschner <gd at samba.org>
> Date: Wed Apr 8 23:21:41 2009 +0200
>
> s3-svcctl: Fix _svcctl_EnumServicesStatusW (again).
>
> The final plan is to use the same macro based code that we have in spoolss to
> handle the buffers and calculate the buffer-sizes.
>
> Guenther
>
> -----------------------------------------------------------------------
>
> Summary of changes:
> source3/rpc_server/srv_svcctl_nt.c | 4 +---
> 1 files changed, 1 insertions(+), 3 deletions(-)
>
>
> Changeset truncated at 500 lines:
>
> diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
> index ddfe0df..1850dcb 100644
> --- a/source3/rpc_server/srv_svcctl_nt.c
> +++ b/source3/rpc_server/srv_svcctl_nt.c
> @@ -466,9 +466,7 @@ WERROR _svcctl_EnumServicesStatusW(pipes_struct *p,
> }
>
> blob = ndr_push_blob(ndr);
> - if (blob.length >= r->in.offered) {
> - memcpy(r->out.service, blob.data, r->in.offered);
> - }
> + memcpy(r->out.service, blob.data, r->in.offered);
> }
Ok, I know I'm paranoid (I should be I suppose) but this
looks like it might be a valgring uninitialized read in
the making.
I know that r->out.service has been allocated with
the size r->in.offered ('cos I looked in the auto-generated
code) so I know we're safe from buffer overrun. But Can't
blob.length be less than r->in.offered here, in which case
we're reading uninitialized memory off the end of blob.data ?
Please correct me :-).
Jeremy.
More information about the samba-technical
mailing list