git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9b0c1ab)
s3-net: Fix rpc_service_list_internal() null pointer passing.
authorAndreas Schneider <asn@samba.org>
Fri, 21 Dec 2012 15:03:51 +0000 (16:03 +0100)
committerGünther Deschner <gd@samba.org>
Wed, 2 Jan 2013 13:19:50 +0000 (14:19 +0100)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Found by Coverity.

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan  2 14:19:50 CET 2013 on sn-devel-104

source3/utils/net_rpc_service.c patch | blob | history

diff --git a/source3/utils/net_rpc_service.c b/source3/utils/net_rpc_service.c
index 523eafd6533a37381e708c93352f16619e552c0c..0c0995a1dcb2dbe26139f23f3962e8b474466e70 100644 (file)
--- a/source3/utils/net_rpc_service.c
+++ b/source3/utils/net_rpc_service.c
@@ -289,7 +289,7 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c,
        int i;
        struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;
 
-       uint8_t *buffer = NULL;
+       uint8_t *buffer;
        uint32_t buf_size = 0;
        uint32_t bytes_needed = 0;
        uint32_t num_services = 0;
@@ -307,6 +307,12 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c,
                return werror_to_ntstatus(result);
        }
 
+       buffer = talloc_array(mem_ctx, uint8_t, buf_size);
+       if (buffer == NULL) {
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
        do {
                status = dcerpc_svcctl_EnumServicesStatusW(b, mem_ctx,
                                                           &hSCM,
@@ -327,8 +333,12 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c,
                }
 
                if (W_ERROR_EQUAL(result, WERR_MORE_DATA) && bytes_needed > 0) {
-                       buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
                        buf_size = bytes_needed;
+                       buffer = talloc_realloc(mem_ctx, buffer, uint8_t, bytes_needed);
+                       if (buffer == NULL) {
+                               status = NT_STATUS_NO_MEMORY;
+                               break;
+                       }
                        continue;
                }
 
@@ -381,6 +391,7 @@ static NTSTATUS rpc_service_list_internal(struct net_context *c,
 
        } while (W_ERROR_EQUAL(result, WERR_MORE_DATA));
 
+done:
        if (is_valid_policy_hnd(&hSCM)) {
                WERROR _result;
                dcerpc_svcctl_CloseServiceHandle(b, mem_ctx, &hSCM, &_result);
Kai's WIP code