Index: groupdb/aliasldap.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/groupdb/aliasldap.c,v retrieving revision 1.20 diff -u -p -r1.20 aliasldap.c --- groupdb/aliasldap.c 6 Aug 2006 16:02:14 -0000 1.20 +++ groupdb/aliasldap.c 18 Jan 2008 22:10:45 -0000 @@ -343,13 +343,13 @@ static BOOL ldapalias_getusergroups(cons LOCAL_GRP **groups, size_t *num_grps) { LOCAL_GRP *grouplist; - fstring filter; + pstring filter; int i; if(!ldap_connect()) return (False); - slprintf(filter, sizeof(pstring)-1, + snprintf(filter, sizeof(filter), #ifdef ENABLE_OLD_LDAP_SCHEMA "(&(member=%s,*)(objectclass=sambaAlias))", name); #else Index: groupdb/builtinldap.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/groupdb/builtinldap.c,v retrieving revision 1.22 diff -u -p -r1.22 builtinldap.c --- groupdb/builtinldap.c 6 Aug 2006 16:02:15 -0000 1.22 +++ groupdb/builtinldap.c 18 Jan 2008 22:10:45 -0000 @@ -343,13 +343,13 @@ static BOOL ldapbuiltin_getusergroups(co LOCAL_GRP **groups, size_t *num_grps) { LOCAL_GRP *grouplist; - fstring filter; + pstring filter; int i; if(!ldap_connect()) return (False); - slprintf(filter, sizeof(pstring)-1, + snprintf(filter, sizeof(filter), #ifdef ENABLE_OLD_LDAP_SCHEMA "(&(member=%s,*)(objectclass=sambaBuiltin))", name); #else Index: rpc_parse/parse_lsa.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/rpc_parse/parse_lsa.c,v retrieving revision 1.23 diff -u -p -r1.23 parse_lsa.c --- rpc_parse/parse_lsa.c 16 Aug 2006 18:23:56 -0000 1.23 +++ rpc_parse/parse_lsa.c 18 Jan 2008 22:10:49 -0000 @@ -174,7 +174,7 @@ static RPC_IO_DECLARE(lsa_io_dom_r_ref, prs_uint32("num_ref_doms_2", ps, depth, &(r_r->num_ref_doms_2)); /* 4 - num referenced domains? */ SMB_ASSERT_ARRAY(r_r->ref_dom, r_r->num_ref_doms_2); - for (i = 0; i < r_r->num_ref_doms_1; i++) + for (i = 0; i < r_r->num_ref_doms_2; i++) { fstring t; @@ -1091,7 +1091,7 @@ static RPC_IO_DECLARE(lsa_io_trans_names { prs_uint32("num_entries2 ", ps, depth, &(trn->num_entries2)); - SMB_ASSERT_ARRAY(trn->name, trn->num_entries); + SMB_ASSERT_ARRAY(trn->name, trn->num_entries2); for (i = 0; i < trn->num_entries2; i++) { @@ -1216,7 +1216,7 @@ BOOL make_q_lookup_names(LSA_Q_LOOKUP_NA q_l->num_entries = num_names; q_l->num_entries2 = num_names; - SMB_ASSERT_ARRAY(q_l->uni_name, q_l->num_entries); + SMB_ASSERT_ARRAY(q_l->uni_name, num_names); for (i = 0; i < num_names; i++) { @@ -1296,6 +1296,9 @@ RPC_IO_DECLARE(lsa_io_r_lookup_names, LS return False; } + if (PRS_IS_CLIENT(ps) && (r_r->num_entries2 > MAX_LOOKUP_SIDS)) + return False; + for (i = 0; i < r_r->num_entries2; i++) { smb_io_dom_rid2("", &(r_r->dom_rid[i]), ps, depth); /* domain RIDs being looked up */ Index: rpc_parse/parse_samr.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/rpc_parse/parse_samr.c,v retrieving revision 1.50 diff -u -p -r1.50 parse_samr.c --- rpc_parse/parse_samr.c 11 Jul 2006 11:11:58 -0000 1.50 +++ rpc_parse/parse_samr.c 18 Jan 2008 22:11:00 -0000 @@ -3692,12 +3692,12 @@ RPC_IO_DECLARE(samr_io_r_query_aliasmem, if (r_u->ptr != 0) { - SMB_ASSERT_ARRAY(ptr_sid, r_u->num_sids); - if (r_u->num_sids != 0) { prs_uint32("num_sids1", ps, depth, &(r_u->num_sids1)); + SMB_ASSERT_ARRAY(ptr_sid, r_u->num_sids1); + for (i = 0; i < r_u->num_sids1; i++) { ptr_sid[i] = 1; @@ -3739,6 +3739,8 @@ BOOL make_samr_q_lookup_names(SAMR_Q_LOO q_u->ptr = 0; q_u->num_names2 = num_names; + SMB_ASSERT_ARRAY(q_u->hdr_name, num_names); + for (i = 0; i < num_names; i++) { int len_name = name[i] != NULL ? strlen(name[i]) : 0; Index: rpc_parse/parse_spoolss.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/rpc_parse/parse_spoolss.c,v retrieving revision 1.23 diff -u -p -r1.23 parse_spoolss.c --- rpc_parse/parse_spoolss.c 5 Jul 2006 12:13:36 -0000 1.23 +++ rpc_parse/parse_spoolss.c 18 Jan 2008 22:11:09 -0000 @@ -246,6 +246,8 @@ static RPC_IO_DECLARE(smb_io_notify_opti if (type->count2 != type->count) DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2)); + SMB_ASSERT_ARRAY(type->fields, type->count2); + /* parse the option type data */ for(i=0;icount2;i++) if(!prs_uint16("fields",ps,depth,&type->fields[i])) @@ -409,6 +411,9 @@ static RPC_IO_DECLARE(smb_io_notify_info RPC_MARSHALLER_INTRO(info); + if (UNMARSHALLING(ps)) + return False; + if(!prs_uint32("count", ps, depth, &info->count)) return False; if(!prs_uint32("version", ps, depth, &info->version)) Index: rpc_parse/parse_svc.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/rpc_parse/parse_svc.c,v retrieving revision 1.17 diff -u -p -r1.17 parse_svc.c --- rpc_parse/parse_svc.c 31 Jan 2005 13:46:11 -0000 1.17 +++ rpc_parse/parse_svc.c 18 Jan 2008 22:11:10 -0000 @@ -25,7 +25,7 @@ #include "includes.h" -#include "debug.h" +#include "libsamba.h" #include "tng_misc.h" #include "rpc_parse.h" @@ -237,10 +237,13 @@ RPC_IO_DECLARE(svc_io_q_start_service, S return False; } + SMB_ASSERT_ARRAY(q_s->ptr_argv, q_s->argc2); for (i = 0; i < q_s->argc2; i++) { prs_uint32("", ps, depth, &(q_s->ptr_argv[i])); } + + SMB_ASSERT_ARRAY(q_s->argv, q_s->argc2); for (i = 0; i < q_s->argc2; i++) { smb_io_unistr2("", &(q_s->argv[i]), q_s->ptr_argv[i], @@ -437,7 +440,7 @@ RPC_IO_DECLARE(svc_io_r_enum_svcs_status new_offset = prs_offset(ps); prs_set_offset(ps, buf_offset); - svc->svcs = g_new(ENUM_SRVC_STATUS, svc->num_svcs); + svc->svcs = g_new0(ENUM_SRVC_STATUS, svc->num_svcs); if (svc->svcs == NULL) { @@ -446,9 +449,6 @@ RPC_IO_DECLARE(svc_io_r_enum_svcs_status return False; } - memset(svc->svcs, 0, - svc->num_svcs * sizeof(ENUM_SRVC_STATUS)); - for (i = 0; i < svc->num_svcs; i++) { fstring name; Index: smbd/lanman.c =================================================================== RCS file: /home/cvsroot/dcerpc/tng/source/smbd/lanman.c,v retrieving revision 1.35 diff -u -p -r1.35 lanman.c --- smbd/lanman.c 9 Aug 2005 13:00:25 -0000 1.35 +++ smbd/lanman.c 18 Jan 2008 22:11:15 -0000 @@ -372,7 +372,7 @@ static void PackDriverData(struct pack_d SIVAL(drivdata, 0, sizeof drivdata); /* cb */ SIVAL(drivdata, 4, 1000); /* lVersion */ memset(drivdata + 8, 0, 32); /* szDeviceName */ - pstrcpy(drivdata + 8, "NULL"); + safe_strcpy(drivdata + 8, "NULL", 32); PACKl(desc, "l", drivdata, sizeof drivdata); /* pDriverData */ }