s3-winreg: Fix _winreg_QueryValue crash bugs and implement windows behavior.

Found by RPC-WINREG smbtorture test.

Guenther
(cherry picked from commit cddc542ba5f30316ff4ee8fa591a54808b7be4c8)

The last 4 patches address bug #7258 (NULL pointer derref crash in
_winreg_QueryValue).
(cherry picked from commit 55436299da49d995a2d9b3d7b702122ebb2ce156)

1 files changed, 8 insertions, 11 deletions

diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c
index 15c79bea46a..5912322d93f 100644
--- a/source3/rpc_server/srv_winreg_nt.c
+++ b/source3/rpc_server/srv_winreg_nt.c
@@ -230,12 +230,10 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
 	if ( !regkey )
 		return WERR_BADFID;
 
-	if ((r->out.data_length == NULL) || (r->out.type == NULL)) {
+	if ((r->out.data_length == NULL) || (r->out.type == NULL) || (r->out.data_size == NULL)) {
 		return WERR_INVALID_PARAM;
 	}
 
-	*r->out.data_length = *r->out.type = REG_NONE;
-
 	DEBUG(7,("_winreg_QueryValue: policy key name = [%s]\n", regkey->key->name));
 	DEBUG(7,("_winreg_QueryValue: policy key type = [%08x]\n", regkey->key->type));
 
@@ -310,19 +308,18 @@ WERROR _winreg_QueryValue(pipes_struct *p, struct winreg_QueryValue *r)
 		*r->out.type = val->type;
 	}
 
-	*r->out.data_length = outbuf_size;
+	status = WERR_BADFILE;
 
-	if ( *r->in.data_size == 0 || !r->out.data ) {
-		status = WERR_OK;
-	} else if ( *r->out.data_length > *r->in.data_size ) {
-		status = WERR_MORE_DATA;
+	if (*r->in.data_size < outbuf_size) {
+		*r->out.data_size = outbuf_size;
+		status = r->in.data ? WERR_MORE_DATA : WERR_OK;
 	} else {
-		memcpy( r->out.data, outbuf, *r->out.data_length );
+		*r->out.data_length = outbuf_size;
+		*r->out.data_size = outbuf_size;
+		memcpy(r->out.data, outbuf, outbuf_size);
 		status = WERR_OK;
 	}
 
-	*r->out.data_size = *r->out.data_length;
-
 	if (free_prs) prs_mem_free(&prs_hkpd);
 	if (free_buf) SAFE_FREE(outbuf);