[Pkg-samba-maint] r1422 - in branches/samba/etch/debian: . patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Wed May 30 09:18:04 UTC 2007
Author: vorlon
Date: 2007-05-30 09:18:04 +0000 (Wed, 30 May 2007)
New Revision: 1422
Added:
branches/samba/etch/debian/patches/security-CVE-2007-2446_domain-fix.patch
Removed:
branches/samba/etch/debian/patches/security-CVE-2007-2444_fixed-parse_prs.patch
Modified:
branches/samba/etch/debian/changelog
branches/samba/etch/debian/patches/series
Log:
Fixed patch for bug #425680; since the security team (and autobuilders) have
already seen 6etch3, bump the version number to 6etch4.
Modified: branches/samba/etch/debian/changelog
===================================================================
--- branches/samba/etch/debian/changelog 2007-05-29 19:50:34 UTC (rev 1421)
+++ branches/samba/etch/debian/changelog 2007-05-30 09:18:04 UTC (rev 1422)
@@ -1,10 +1,9 @@
-samba (3.0.24-6etch3) stable-security; urgency=high
+samba (3.0.24-6etch4) stable-security; urgency=high
- * The fix for CVE-2007-2444 broke connections to servers that are domain
- members. Upstream bug #4637
- Closes: #425680
+ * Fix a regression introduced by the fix for CVE-2007-2446, which broke
+ connections to servers that are domain members. Closes: #425680
- -- Christian Perrier <bubulle at debian.org> Wed, 23 May 2007 21:35:28 +0200
+ -- Steve Langasek <vorlon at debian.org> Mon, 28 May 2007 06:03:07 -0700
samba (3.0.24-6etch2) stable-security; urgency=high
Deleted: branches/samba/etch/debian/patches/security-CVE-2007-2444_fixed-parse_prs.patch
===================================================================
--- branches/samba/etch/debian/patches/security-CVE-2007-2444_fixed-parse_prs.patch 2007-05-29 19:50:34 UTC (rev 1421)
+++ branches/samba/etch/debian/patches/security-CVE-2007-2444_fixed-parse_prs.patch 2007-05-30 09:18:04 UTC (rev 1422)
@@ -1,100 +0,0 @@
-=== modified file 'source/rpc_parse/parse_prs.c'
---- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-12 18:41:54 +0000
-+++ samba-3.0.24source/rpc_parse/parse_prs.c 2007-05-23 16:24:52 +0000
-@@ -642,8 +642,12 @@
- return True;
-
- if (UNMARSHALLING(ps)) {
-- if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
-- return False;
-+ if (data_size) {
-+ if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
-+ return False;
-+ } else {
-+ *data = NULL;
-+ }
- }
-
- return prs_fn(name, ps, depth, *data);
-@@ -1014,16 +1018,16 @@
- if (q == NULL)
- return False;
-
-+ /* If the string is empty, we don't have anything to stream */
-+ if (str->buf_len==0)
-+ return True;
-+
- if (UNMARSHALLING(ps)) {
- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len);
- if (str->buffer == NULL)
- return False;
- }
-
-- /* If the string is empty, we don't have anything to stream */
-- if (str->buf_len==0)
-- return True;
--
- p = (char *)str->buffer;
-
- dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len);
-@@ -1053,6 +1057,8 @@
- buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len);
- if ( buf->buffer == NULL )
- return False;
-+ } else {
-+ buf->buffer = NULL;
- }
- }
-
-@@ -1080,9 +1086,13 @@
- if (str->str_str_len > str->str_max_len) {
- return False;
- }
-- str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
-- if (str->buffer == NULL)
-- return False;
-+ if (str->str_max_len) {
-+ str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
-+ if (str->buffer == NULL)
-+ return False;
-+ } else {
-+ str->buffer = NULL;
-+ }
- }
-
- if (UNMARSHALLING(ps)) {
-@@ -1127,9 +1137,13 @@
- if (str->uni_str_len > str->uni_max_len) {
- return False;
- }
-- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
-- if (str->buffer == NULL)
-- return False;
-+ if (str->uni_max_len) {
-+ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
-+ if (str->buffer == NULL)
-+ return False;
-+ } else {
-+ str->buffer = NULL;
-+ }
- }
-
- p = (char *)str->buffer;
-@@ -1154,9 +1168,13 @@
- return False;
-
- if (UNMARSHALLING(ps)) {
-- str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
-- if (str->str.buffer == NULL)
-- return False;
-+ if (str->uni_str_len) {
-+ str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
-+ if (str->str.buffer == NULL)
-+ return False;
-+ } else {
-+ str->str.buffer = NULL;
-+ }
- }
-
- p = (char *)str->str.buffer;
-
Added: branches/samba/etch/debian/patches/security-CVE-2007-2446_domain-fix.patch
===================================================================
--- branches/samba/etch/debian/patches/security-CVE-2007-2446_domain-fix.patch (rev 0)
+++ branches/samba/etch/debian/patches/security-CVE-2007-2446_domain-fix.patch 2007-05-30 09:18:04 UTC (rev 1422)
@@ -0,0 +1,574 @@
+Index: samba-3.0.24/source/libads/authdata.c
+===================================================================
+--- samba-3.0.24.orig/source/libads/authdata.c 2007-05-23 15:03:45.000000000 -0700
++++ samba-3.0.24/source/libads/authdata.c 2007-05-23 15:08:24.000000000 -0700
+@@ -120,10 +120,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
+- if (!array->krb_sid_and_attrs) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (num) {
++ array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
++ if (!array->krb_sid_and_attrs) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ array->krb_sid_and_attrs = NULL;
+ }
+ }
+
+@@ -184,10 +188,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
+- if (!array->group_membership) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (num) {
++ array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
++ if (!array->group_membership) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ array->group_membership = NULL;
+ }
+ }
+
+@@ -456,10 +464,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps) && length) {
+- data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
+- if (!data->signature.buffer) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (siglen) {
++ data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
++ if (!data->signature.buffer) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ data->signature.buffer = NULL;
+ }
+ }
+
+Index: samba-3.0.24/source/registry/regfio.c
+===================================================================
+--- samba-3.0.24.orig/source/registry/regfio.c 2007-05-23 15:03:48.000000000 -0700
++++ samba-3.0.24/source/registry/regfio.c 2007-05-23 15:08:24.000000000 -0700
+@@ -642,8 +642,12 @@
+ return False;
+
+ if ( UNMARSHALLING(&hbin->ps) ) {
+- if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
+- return False;
++ if (lf->num_keys) {
++ if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
++ return False;
++ } else {
++ lf->hashes = NULL;
++ }
+ }
+
+ for ( i=0; i<lf->num_keys; i++ ) {
+Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-05-23 15:06:18.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-23 15:08:24.000000000 -0700
+@@ -1171,7 +1171,7 @@
+
+ /* Mallocate memory if we're unpacking from the wire */
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && sen->num_entries) {
+ if ((sen->ptr_sid = PRS_ALLOC_MEM( ps, uint32, sen->num_entries)) == NULL) {
+ DEBUG(3, ("init_lsa_sid_enum(): out of memory for "
+ "ptr_sid\n"));
+@@ -1354,7 +1354,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && trn->num_entries2) {
+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
+ return False;
+ }
+@@ -1416,7 +1416,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && trn->num_entries2) {
+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
+ return False;
+ }
+@@ -1688,7 +1688,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names(): out of memory\n"));
+@@ -1813,7 +1813,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID2, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names2(): out of memory\n"));
+@@ -1966,7 +1966,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names3(): out of memory\n"));
+@@ -2095,7 +2095,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names4(): out of memory\n"));
+@@ -2334,7 +2334,7 @@
+ if(!prs_uint32("count1", ps, depth, &out->count1))
+ return False;
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && out->count1)
+ if (!(out->privs = PRS_ALLOC_MEM(ps, LSA_PRIV_ENTRY, out->count1)))
+ return False;
+
+@@ -3896,7 +3896,7 @@
+ prs_debug(ps, depth, desc, "smb_io_lsa_data_buf");
+ depth++;
+
+- if ( UNMARSHALLING(ps) ) {
++ if ( UNMARSHALLING(ps) && length ) {
+ if ( !(buf->data = PRS_ALLOC_MEM( ps, uint8, length )) )
+ return False;
+ }
+@@ -3910,7 +3910,7 @@
+ if (!prs_uint32("length", ps, depth, &buf->length))
+ return False;
+
+- if(!prs_uint8s(False, "data", ps, depth, buf->data, size))
++ if(!prs_uint8s(False, "data", ps, depth, buf->data, length))
+ return False;
+
+ return True;
+Index: samba-3.0.24/source/rpc_parse/parse_net.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_net.c 2007-05-23 15:06:21.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_net.c 2007-05-23 15:08:24.000000000 -0700
+@@ -1721,9 +1721,13 @@
+ }
+
+ if (UNMARSHALLING(ps)) {
+- usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
+- if (usr->gids == NULL)
+- return False;
++ if (usr->num_groups) {
++ usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
++ if (usr->gids == NULL)
++ return False;
++ } else {
++ usr->gids = NULL;
++ }
+ }
+
+ for (i = 0; i < usr->num_groups; i++) {
+@@ -1756,10 +1760,15 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
+- usr->other_sids_attrib =
+- PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
+-
++ if (usr->num_other_sids) {
++ usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
++ usr->other_sids_attrib =
++ PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
++ } else {
++ usr->other_sids = NULL;
++ usr->other_sids_attrib = NULL;
++ }
++
+ if ((num_other_sids != 0) &&
+ ((usr->other_sids == NULL) ||
+ (usr->other_sids_attrib == NULL)))
+Index: samba-3.0.24/source/rpc_parse/parse_prs.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-23 15:03:03.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-23 15:08:24.000000000 -0700
+@@ -642,8 +642,12 @@
+ return True;
+
+ if (UNMARSHALLING(ps)) {
+- if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
+- return False;
++ if (data_size) {
++ if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
++ return False;
++ } else {
++ *data = NULL;
++ }
+ }
+
+ return prs_fn(name, ps, depth, *data);
+@@ -1014,16 +1018,16 @@
+ if (q == NULL)
+ return False;
+
++ /* If the string is empty, we don't have anything to stream */
++ if (str->buf_len==0)
++ return True;
++
+ if (UNMARSHALLING(ps)) {
+ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len);
+ if (str->buffer == NULL)
+ return False;
+ }
+
+- /* If the string is empty, we don't have anything to stream */
+- if (str->buf_len==0)
+- return True;
+-
+ p = (char *)str->buffer;
+
+ dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len);
+@@ -1053,6 +1057,8 @@
+ buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len);
+ if ( buf->buffer == NULL )
+ return False;
++ } else {
++ buf->buffer = NULL;
+ }
+ }
+
+@@ -1080,9 +1086,13 @@
+ if (str->str_str_len > str->str_max_len) {
+ return False;
+ }
+- str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
+- if (str->buffer == NULL)
+- return False;
++ if (str->str_max_len) {
++ str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
++ if (str->buffer == NULL)
++ return False;
++ } else {
++ str->buffer = NULL;
++ }
+ }
+
+ if (UNMARSHALLING(ps)) {
+@@ -1127,9 +1137,13 @@
+ if (str->uni_str_len > str->uni_max_len) {
+ return False;
+ }
+- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
+- if (str->buffer == NULL)
+- return False;
++ if (str->uni_max_len) {
++ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
++ if (str->buffer == NULL)
++ return False;
++ } else {
++ str->buffer = NULL;
++ }
+ }
+
+ p = (char *)str->buffer;
+@@ -1154,9 +1168,13 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
+- if (str->str.buffer == NULL)
+- return False;
++ if (str->uni_str_len) {
++ str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
++ if (str->str.buffer == NULL)
++ return False;
++ } else {
++ str->str.buffer = NULL;
++ }
+ }
+
+ p = (char *)str->str.buffer;
+Index: samba-3.0.24/source/rpc_parse/parse_samr.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_samr.c 2007-05-23 15:03:41.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_samr.c 2007-05-23 15:08:24.000000000 -0700
+@@ -3337,7 +3337,7 @@
+ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && r_u->num_entries2) {
+ r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
+ r_u->uni_dom_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
+ }
+@@ -3476,7 +3476,7 @@
+ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && r_u->num_entries2) {
+ r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
+ r_u->uni_grp_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
+ }
+@@ -4980,12 +4980,13 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && r_u->num_rids2) {
+ r_u->rids = PRS_ALLOC_MEM(ps, uint32, r_u->num_rids2);
+
+- if (!r_u->rids) {
+- DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
+- return False;
++ if (!r_u->rids) {
++ DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
++ return False;
++ }
+ }
+
+ for (i = 0; i < r_u->num_rids2; i++) {
+@@ -5009,12 +5010,13 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && r_u->num_types2) {
+ r_u->types = PRS_ALLOC_MEM(ps, uint32, r_u->num_types2);
+
+- if (!r_u->types) {
+- DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
+- return False;
++ if (!r_u->types) {
++ DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
++ return False;
++ }
+ }
+
+ for (i = 0; i < r_u->num_types2; i++) {
+Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-05-23 15:06:24.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-23 15:08:24.000000000 -0700
+@@ -257,7 +257,7 @@
+ return False;
+
+ /* reading */
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && ctr->count)
+ if((ctr->type=PRS_ALLOC_MEM(ps,SPOOL_NOTIFY_OPTION_TYPE,ctr->count)) == NULL)
+ return False;
+
+@@ -416,7 +416,7 @@
+ if(!prs_uint32("string length", ps, depth, &data->notify_data.data.length))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
+ data->notify_data.data.length);
+
+@@ -435,7 +435,7 @@
+
+ case NOTIFY_POINTER:
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
+ data->notify_data.data.length);
+
+@@ -495,9 +495,13 @@
+
+ /* Tallocate memory for string */
+
+- data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
+- if (!data->notify_data.data.string)
+- return False;
++ if (x) {
++ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
++ if (!data->notify_data.data.string)
++ return False;
++ } else {
++ data->notify_data.data.string = NULL;
++ }
+
+ if(!prs_uint16uni(True,"string",ps,depth,data->notify_data.data.string,x))
+ return False;
+@@ -5936,14 +5940,14 @@
+ case REG_BINARY:
+ case REG_DWORD:
+ case REG_MULTI_SZ:
+- if (q_u->max_len) {
+- if (UNMARSHALLING(ps))
+- q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
+- if(q_u->data == NULL)
+- return False;
+- if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
+- return False;
+- }
++ if (q_u->max_len) {
++ if (UNMARSHALLING(ps))
++ q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
++ if(q_u->data == NULL)
++ return False;
++ if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
++ return False;
++ }
+ if(!prs_align(ps))
+ return False;
+ break;
+@@ -6961,7 +6965,7 @@
+
+ /* first loop to write basic enum_value information */
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && ctr->size_of_array) {
+ ctr->values = PRS_ALLOC_MEM(ps, PRINTER_ENUM_VALUES, ctr->size_of_array);
+ if (!ctr->values)
+ return False;
+Index: samba-3.0.24/source/rpc_parse/parse_srv.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_srv.c 2007-05-23 15:03:10.000000000 -0700
++++ samba-3.0.24/source/rpc_parse/parse_srv.c 2007-05-23 15:08:24.000000000 -0700
+@@ -782,7 +782,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info0 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_0, num_entries)))
+ return False;
+ ctr->share.info0 = info0;
+@@ -808,7 +808,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_1, num_entries)))
+ return False;
+ ctr->share.info1 = info1;
+@@ -834,7 +834,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info2 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_2,num_entries)))
+ return False;
+ ctr->share.info2 = info2;
+@@ -859,7 +859,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info501 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_501, num_entries)))
+ return False;
+ ctr->share.info501 = info501;
+@@ -884,7 +884,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info502 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_502,num_entries)))
+ return False;
+ ctr->share.info502 = info502;
+@@ -910,7 +910,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1004 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1004,num_entries)))
+ return False;
+ ctr->share.info1004 = info1004;
+@@ -936,7 +936,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1005 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1005,num_entries)))
+ return False;
+ ctr->share.info1005 = info1005;
+@@ -956,7 +956,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1006 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1006,num_entries)))
+ return False;
+ ctr->share.info1006 = info1006;
+@@ -976,7 +976,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1007 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1007,num_entries)))
+ return False;
+ ctr->share.info1007 = info1007;
+@@ -1002,7 +1002,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1501 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1501,num_entries)))
+ return False;
+ ctr->share.info1501 = info1501;
+@@ -2558,7 +2558,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info3 = PRS_ALLOC_MEM(ps, SRV_FILE_INFO_3, num_entries)))
+ return False;
+ ctr->file.info3 = info3;
+@@ -3377,7 +3377,7 @@
+
+ r_n->disk_enum_ctr.entries_read = entries_read3;
+
+- if(UNMARSHALLING(ps)) {
++ if(UNMARSHALLING(ps) && entries_read3) {
+
+ DISK_INFO *dinfo;
+
+@@ -3386,7 +3386,7 @@
+ r_n->disk_enum_ctr.disk_info = dinfo;
+ }
+
+- for(i=0; i < r_n->disk_enum_ctr.entries_read; i++) {
++ for(i=0; i < entries_read3; i++) {
+
+ if(!prs_uint32("unknown", ps, depth, &r_n->disk_enum_ctr.disk_info[i].unknown))
+ return False;
Modified: branches/samba/etch/debian/patches/series
===================================================================
--- branches/samba/etch/debian/patches/series 2007-05-29 19:50:34 UTC (rev 1421)
+++ branches/samba/etch/debian/patches/series 2007-05-30 09:18:04 UTC (rev 1422)
@@ -24,4 +24,4 @@
security-CVE-2007-2446.patch
security-CVE-2007-2447.patch
security-CVE-2007-2444_fixed-force-group.patch
-security-CVE-2007-2444_fixed-parse_prs.patch
+security-CVE-2007-2446_domain-fix.patch
More information about the Pkg-samba-maint
mailing list