From ce085ed8ec9bd5b88a58257d3485f8ade1b4578b Mon Sep 17 00:00:00 2001 From: Rob Shearman Date: Sun, 10 Aug 2008 18:24:35 +0100 Subject: [PATCH] rpcrt4: Check that strings in SMB, NB and pipe floors are nul-terminated before copying the data. --- dlls/rpcrt4/rpc_transport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dlls/rpcrt4/rpc_transport.c b/dlls/rpcrt4/rpc_transport.c index a797646dce8..75423b94369 100644 --- a/dlls/rpcrt4/rpc_transport.c +++ b/dlls/rpcrt4/rpc_transport.c @@ -504,7 +504,8 @@ static RPC_STATUS rpcrt4_ncacn_np_parse_top_of_tower(const unsigned char *tower_ if ((smb_floor->count_lhs != sizeof(smb_floor->protid)) || (smb_floor->protid != EPM_PROTOCOL_SMB) || - (smb_floor->count_rhs > tower_size)) + (smb_floor->count_rhs > tower_size) || + (tower_data[smb_floor->count_rhs - 1] != '\0')) return EPT_S_NOT_REGISTERED; if (endpoint) @@ -527,7 +528,8 @@ static RPC_STATUS rpcrt4_ncacn_np_parse_top_of_tower(const unsigned char *tower_ if ((nb_floor->count_lhs != sizeof(nb_floor->protid)) || (nb_floor->protid != EPM_PROTOCOL_NETBIOS) || - (nb_floor->count_rhs > tower_size)) + (nb_floor->count_rhs > tower_size) || + (tower_data[nb_floor->count_rhs - 1] != '\0')) return EPT_S_NOT_REGISTERED; if (networkaddr) @@ -714,7 +716,8 @@ static RPC_STATUS rpcrt4_ncalrpc_parse_top_of_tower(const unsigned char *tower_d if ((pipe_floor->count_lhs != sizeof(pipe_floor->protid)) || (pipe_floor->protid != EPM_PROTOCOL_PIPE) || - (pipe_floor->count_rhs > tower_size)) + (pipe_floor->count_rhs > tower_size) || + (tower_data[pipe_floor->count_rhs - 1] != '\0')) return EPT_S_NOT_REGISTERED; if (networkaddr)