Fixed bug introduced by changeover of security descriptor code from

malloc() to talloc().  Previously, creating an ACL containing zero ACEs
would return a non-NULL pointer to zero bytes of memory.  The talloc() code
would return a NULL pointer making the ACL a NULL ACL instead of an empty
one.  The difference is a NULL ACL allows all access and an empty ACL
denies all access.

We solve this by calling talloc(ctx, sizeof(SEC_ACE) * num_aces + 1).
Heh.
(This used to be commit 89eaaafe7d266788609fab6951fd912c441b3a26)

diff --git a/source3/rpc_parse/parse_sec.c b/source3/rpc_parse/parse_sec.c
index e5d3a6ce43cd8cf6d25c277c847e4d7cc41d9140..7cc4d054fa255eef140274d4d3ab71fb87447369 100644 (file)
--- a/source3/rpc_parse/parse_sec.c
+++ b/source3/rpc_parse/parse_sec.c
@@ -135,7 +135,14 @@ SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, uint16 revision, int num_aces, SEC_ACE *a
        dst->num_aces = num_aces;
        dst->size = 8;
 
-       if((dst->ace = (SEC_ACE *)talloc(ctx, sizeof(SEC_ACE) * num_aces )) == NULL) {
+       /* Now we need to return a non-NULL address for the ace list even
+          if the number of aces required is zero.  This is because there
+          is a distinct difference between a NULL ace and an ace with zero
+          entries in it.  This is achieved by always making the number of
+          bytes allocated by talloc() positive.  Heh. */
+
+       if((dst->ace = (SEC_ACE *)talloc(ctx, sizeof(SEC_ACE) * num_aces + 1))
+          == NULL) {
                return NULL;
        }