Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure

that "offered" read from the rpc packet in spoolss is under that size. Tidyup from analysis from Veracode. Jeremy. (cherry picked from commit 6b654d12fd46b68fef824bf281783396ca81283d)
author: Jeremy Allison <jra@samba.org> 2009-02-13 16:04:15 -0800
committer: Karolin Seeger <kseeger@samba.org> 2009-02-16 09:57:04 +0100
commit: e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81 (patch)
tree: 6dcbbe75984963a0bce117b198f5bb604e564a0f /source
parent: 2e1e2a857b27992f1efb281630d3edff2f996ddc (diff)
download: samba-e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81.tar.gz
3 files changed, 56 insertions, 1 deletions
diff --git a/source/include/local.h b/source/include/local.h
index c125ded3713..45767ad1c15 100644
--- a/source/include/local.h
+++ b/source/include/local.h
@@ -253,4 +253,7 @@
 /* Windows minimum lock resolution timeout in ms */
 #define WINDOWS_MINIMUM_LOCK_TIMEOUT_MS 200
 
+/* Maximum size of RPC data we will accept for one call. */
+#define MAX_RPC_DATA_SIZE (15*1024*1024)
+
 #endif
diff --git a/source/rpc_server/srv_pipe_hnd.c b/source/rpc_server/srv_pipe_hnd.c
index c55e3287051..612ca362d8c 100644
--- a/source/rpc_server/srv_pipe_hnd.c
+++ b/source/rpc_server/srv_pipe_hnd.c
@@ -582,7 +582,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
 	 * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
 	 */
 	
-	if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
+	if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) {
 		DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
 				(unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
 		set_incoming_fault(p);
diff --git a/source/rpc_server/srv_spoolss_nt.c b/source/rpc_server/srv_spoolss_nt.c
index a2dd5d4a2cb..d24a44bc403 100644
--- a/source/rpc_server/srv_spoolss_nt.c
+++ b/source/rpc_server/srv_spoolss_nt.c
@@ -4729,6 +4729,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -5086,6 +5090,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -5747,6 +5755,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -6821,6 +6833,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -7197,6 +7213,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -7264,6 +7284,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -7672,6 +7696,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -8081,6 +8109,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -8708,6 +8740,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -8787,6 +8823,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -8915,6 +8955,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -9091,6 +9135,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
 
@@ -9732,6 +9780,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC
 		return WERR_INVALID_PARAM;
 	}
 
+	if (offered > MAX_RPC_DATA_SIZE) {
+		return WERR_INVALID_PARAM;
+	}
+
 	rpcbuf_move(q_u->buffer, &r_u->buffer);
 	buffer = r_u->buffer;
author	Jeremy Allison <jra@samba.org>	2009-02-13 16:04:15 -0800
committer	Karolin Seeger <kseeger@samba.org>	2009-02-16 09:57:04 +0100
commit	e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81 (patch)
tree	6dcbbe75984963a0bce117b198f5bb604e564a0f /source
parent	2e1e2a857b27992f1efb281630d3edff2f996ddc (diff)
download	samba-e88029414fddb77c30c5efa2ca6c1c6e5c8d2e81.tar.gz