diff options
author | Jeremy Allison <jra@samba.org> | 2009-02-13 16:04:15 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2009-02-16 09:57:04 +0100 |
commit | e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81 (patch) | |
tree | 6dcbbe75984963a0bce117b198f5bb604e564a0f /source | |
parent | 2e1e2a857b27992f1efb281630d3edff2f996ddc (diff) | |
download | samba-e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81.tar.gz |
Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure
that "offered" read from the rpc packet in spoolss is under
that size. Tidyup from analysis from Veracode.
Jeremy.
(cherry picked from commit 6b654d12fd46b68fef824bf281783396ca81283d)
Diffstat (limited to 'source')
-rw-r--r-- | source/include/local.h | 3 | ||||
-rw-r--r-- | source/rpc_server/srv_pipe_hnd.c | 2 | ||||
-rw-r--r-- | source/rpc_server/srv_spoolss_nt.c | 52 |
3 files changed, 56 insertions, 1 deletions
diff --git a/source/include/local.h b/source/include/local.h index c125ded3713..45767ad1c15 100644 --- a/source/include/local.h +++ b/source/include/local.h @@ -253,4 +253,7 @@ /* Windows minimum lock resolution timeout in ms */ #define WINDOWS_MINIMUM_LOCK_TIMEOUT_MS 200 +/* Maximum size of RPC data we will accept for one call. */ +#define MAX_RPC_DATA_SIZE (15*1024*1024) + #endif diff --git a/source/rpc_server/srv_pipe_hnd.c b/source/rpc_server/srv_pipe_hnd.c index c55e3287051..612ca362d8c 100644 --- a/source/rpc_server/srv_pipe_hnd.c +++ b/source/rpc_server/srv_pipe_hnd.c @@ -582,7 +582,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 */ - if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) { + if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) { DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n", (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len )); set_incoming_fault(p); diff --git a/source/rpc_server/srv_spoolss_nt.c b/source/rpc_server/srv_spoolss_nt.c index a2dd5d4a2cb..d24a44bc403 100644 --- a/source/rpc_server/srv_spoolss_nt.c +++ b/source/rpc_server/srv_spoolss_nt.c @@ -4729,6 +4729,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -5086,6 +5090,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -5747,6 +5755,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -6821,6 +6833,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7197,6 +7213,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7264,6 +7284,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7672,6 +7696,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8081,6 +8109,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8708,6 +8740,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8787,6 +8823,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8915,6 +8955,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -9091,6 +9135,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -9732,6 +9780,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; |