Index: samba-3.0.24/source/include/smb_macros.h =================================================================== --- samba-3.0.24.orig/source/include/smb_macros.h 2006-04-19 21:29:39.000000000 -0500 +++ samba-3.0.24/source/include/smb_macros.h 2007-05-25 12:40:05.000000000 -0500 @@ -310,7 +310,6 @@ #if defined(PARANOID_MALLOC_CHECKER) #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count)) -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1) /* Get medieval on our ass about malloc.... */ @@ -354,7 +353,6 @@ #define __location__ __FILE__ ":" __LINESTR__ #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count)) -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1) /* Regular malloc code. */ Index: samba-3.0.24/source/rpc_parse/parse_dfs.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-25 12:40:05.000000000 -0500 @@ -325,7 +325,9 @@ return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) + return False; } for (i_stores_1=0; i_stores_1num_stores;i_stores_1++) { if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) @@ -447,7 +449,9 @@ return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) + return False; } for (i_stores_1=0; i_stores_1num_stores;i_stores_1++) { if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) @@ -920,7 +924,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth)) @@ -986,7 +992,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth)) @@ -1052,7 +1060,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth)) @@ -1118,7 +1128,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth)) @@ -1184,7 +1196,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth)) @@ -1250,7 +1264,9 @@ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count); + if (!v->s) + return False; } for (i_s_1=0; i_s_1count;i_s_1++) { if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth)) Index: samba-3.0.24/source/rpc_parse/parse_lsa.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-25 12:41:06.000000000 -0500 @@ -1171,7 +1171,7 @@ /* Mallocate memory if we're unpacking from the wire */ - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && sen->num_entries) { if ((sen->ptr_sid = PRS_ALLOC_MEM( ps, uint32, sen->num_entries)) == NULL) { DEBUG(3, ("init_lsa_sid_enum(): out of memory for " "ptr_sid\n")); @@ -1349,12 +1349,17 @@ &trn->num_entries2)) return False; - if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) { + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + + if (UNMARSHALLING(ps) && trn->num_entries2) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -1406,12 +1411,17 @@ &trn->num_entries2)) return False; - if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) { + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + + if (UNMARSHALLING(ps) && trn->num_entries2) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -1678,7 +1688,7 @@ return False; } - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && out->num_entries2) { if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID, out->num_entries2)) == NULL) { DEBUG(3, ("lsa_io_r_lookup_names(): out of memory\n")); @@ -1803,7 +1813,7 @@ return False; } - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && out->num_entries2) { if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID2, out->num_entries2)) == NULL) { DEBUG(3, ("lsa_io_r_lookup_names2(): out of memory\n")); @@ -1956,7 +1966,7 @@ return False; } - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && out->num_entries2) { if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2)) == NULL) { DEBUG(3, ("lsa_io_r_lookup_names3(): out of memory\n")); @@ -2085,7 +2095,7 @@ return False; } - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && out->num_entries2) { if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2)) == NULL) { DEBUG(3, ("lsa_io_r_lookup_names4(): out of memory\n")); @@ -2324,7 +2334,7 @@ if(!prs_uint32("count1", ps, depth, &out->count1)) return False; - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps) && out->count1) if (!(out->privs = PRS_ALLOC_MEM(ps, LSA_PRIV_ENTRY, out->count1))) return False; @@ -2759,7 +2769,7 @@ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth) { - uint32 i; + uint32 i, dummy; prs_debug(ps, depth, desc, "lsa_io_privilege_set"); depth++; @@ -2767,7 +2777,7 @@ if(!prs_align(ps)) return False; - if(!prs_uint32("count", ps, depth, &out->count)) + if(!prs_uint32("count", ps, depth, &dummy)) return False; if(!prs_uint32("control", ps, depth, &out->control)) return False; @@ -3886,7 +3896,7 @@ prs_debug(ps, depth, desc, "smb_io_lsa_data_buf"); depth++; - if ( UNMARSHALLING(ps) ) { + if ( UNMARSHALLING(ps) && length ) { if ( !(buf->data = PRS_ALLOC_MEM( ps, uint8, length )) ) return False; } @@ -3900,7 +3910,7 @@ if (!prs_uint32("length", ps, depth, &buf->length)) return False; - if(!prs_uint8s(False, "data", ps, depth, buf->data, size)) + if(!prs_uint8s(False, "data", ps, depth, buf->data, length)) return False; return True; Index: samba-3.0.24/source/rpc_parse/parse_prs.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-25 12:41:06.000000000 -0500 @@ -156,7 +156,7 @@ { char *ret = NULL; - if (size) { + if (size && count) { /* We can't call the type-safe version here. */ ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs"); } @@ -642,9 +642,13 @@ return True; if (UNMARSHALLING(ps)) { - if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) ) - return False; - } + if (data_size) { + if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) ) + return False; + } else { + *data = NULL; + } + } return prs_fn(name, ps, depth, *data); } @@ -1014,16 +1018,16 @@ if (q == NULL) return False; + /* If the string is empty, we don't have anything to stream */ + if (str->buf_len==0) + return True; + if (UNMARSHALLING(ps)) { str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len); if (str->buffer == NULL) return False; } - /* If the string is empty, we don't have anything to stream */ - if (str->buf_len==0) - return True; - p = (char *)str->buffer; dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len); @@ -1053,6 +1057,8 @@ buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len); if ( buf->buffer == NULL ) return False; + } else { + buf->buffer = NULL; } } @@ -1080,9 +1086,13 @@ if (str->str_str_len > str->str_max_len) { return False; } - str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len); - if (str->buffer == NULL) - return False; + if (str->str_max_len) { + str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len); + if (str->buffer == NULL) + return False; + } else { + str->buffer = NULL; + } } if (UNMARSHALLING(ps)) { @@ -1127,9 +1137,13 @@ if (str->uni_str_len > str->uni_max_len) { return False; } - str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len); - if (str->buffer == NULL) - return False; + if (str->uni_max_len) { + str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len); + if (str->buffer == NULL) + return False; + } else { + str->buffer = NULL; + } } p = (char *)str->buffer; @@ -1154,9 +1168,13 @@ return False; if (UNMARSHALLING(ps)) { - str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len); - if (str->str.buffer == NULL) - return False; + if (str->uni_str_len) { + str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len); + if (str->str.buffer == NULL) + return False; + } else { + str->str.buffer = NULL; + } } p = (char *)str->str.buffer; Index: samba-3.0.24/source/rpc_parse/parse_sec.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2005-04-18 11:38:20.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-25 12:40:05.000000000 -0500 @@ -122,7 +122,7 @@ for you as it reads them. ********************************************************************/ -BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) +static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) { unsigned int i; uint32 old_offset; @@ -165,13 +165,10 @@ return False; if (UNMARSHALLING(ps)) { - /* - * Even if the num_aces is zero, allocate memory as there's a difference - * between a non-present DACL (allow all access) and a DACL with no ACE's - * (allow no access). - */ - if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL) - return False; + if (psa->num_aces) { + if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL) + return False; + } } for (i = 0; i < psa->num_aces; i++) { Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-25 12:41:06.000000000 -0500 @@ -227,8 +227,13 @@ if(!prs_uint32("count2", ps, depth, &type->count2)) return False; - if (type->count2 != type->count) + if (type->count2 != type->count) { DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2)); + return False; + } + if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) { + return False; + } /* parse the option type data */ for(i=0;icount2;i++) @@ -252,7 +257,7 @@ return False; /* reading */ - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps) && ctr->count) if((ctr->type=PRS_ALLOC_MEM(ps,SPOOL_NOTIFY_OPTION_TYPE,ctr->count)) == NULL) return False; @@ -411,7 +416,7 @@ if(!prs_uint32("string length", ps, depth, &data->notify_data.data.length)) return False; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && data->notify_data.data.length) { data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, data->notify_data.data.length); @@ -430,7 +435,7 @@ case NOTIFY_POINTER: - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && data->notify_data.data.length) { data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, data->notify_data.data.length); @@ -490,9 +495,13 @@ /* Tallocate memory for string */ - data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2); - if (!data->notify_data.data.string) - return False; + if (x) { + data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2); + if (!data->notify_data.data.string) + return False; + } else { + data->notify_data.data.string = NULL; + } if(!prs_uint16uni(True,"string",ps,depth,data->notify_data.data.string,x)) return False; @@ -5931,14 +5940,14 @@ case REG_BINARY: case REG_DWORD: case REG_MULTI_SZ: - if (q_u->max_len) { - if (UNMARSHALLING(ps)) - q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len); - if(q_u->data == NULL) - return False; - if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len)) - return False; - } + if (q_u->max_len) { + if (UNMARSHALLING(ps)) + q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len); + if(q_u->data == NULL) + return False; + if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len)) + return False; + } if(!prs_align(ps)) return False; break; @@ -6956,7 +6965,7 @@ /* first loop to write basic enum_value information */ - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && ctr->size_of_array) { ctr->values = PRS_ALLOC_MEM(ps, PRINTER_ENUM_VALUES, ctr->size_of_array); if (!ctr->values) return False; Index: samba-3.0.24/source/libads/authdata.c =================================================================== --- samba-3.0.24.orig/source/libads/authdata.c 2006-02-23 10:29:34.000000000 -0600 +++ samba-3.0.24/source/libads/authdata.c 2007-05-25 12:41:06.000000000 -0500 @@ -120,10 +120,14 @@ return False; if (UNMARSHALLING(ps)) { - array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); - if (!array->krb_sid_and_attrs) { - DEBUG(3, ("No memory available\n")); - return False; + if (num) { + array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); + if (!array->krb_sid_and_attrs) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + array->krb_sid_and_attrs = NULL; } } @@ -184,10 +188,14 @@ return False; if (UNMARSHALLING(ps)) { - array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); - if (!array->group_membership) { - DEBUG(3, ("No memory available\n")); - return False; + if (num) { + array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); + if (!array->group_membership) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + array->group_membership = NULL; } } @@ -456,10 +464,14 @@ return False; if (UNMARSHALLING(ps) && length) { - data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); - if (!data->signature.buffer) { - DEBUG(3, ("No memory available\n")); - return False; + if (siglen) { + data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); + if (!data->signature.buffer) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + data->signature.buffer = NULL; } } Index: samba-3.0.24/source/registry/regfio.c =================================================================== --- samba-3.0.24.orig/source/registry/regfio.c 2007-02-04 12:59:26.000000000 -0600 +++ samba-3.0.24/source/registry/regfio.c 2007-05-25 12:41:06.000000000 -0500 @@ -642,8 +642,12 @@ return False; if ( UNMARSHALLING(&hbin->ps) ) { - if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) ) - return False; + if (lf->num_keys) { + if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) ) + return False; + } else { + lf->hashes = NULL; + } } for ( i=0; inum_keys; i++ ) { Index: samba-3.0.24/source/rpc_parse/parse_net.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_net.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_net.c 2007-05-25 12:41:06.000000000 -0500 @@ -1721,9 +1721,13 @@ } if (UNMARSHALLING(ps)) { - usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups); - if (usr->gids == NULL) - return False; + if (usr->num_groups) { + usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups); + if (usr->gids == NULL) + return False; + } else { + usr->gids = NULL; + } } for (i = 0; i < usr->num_groups; i++) { @@ -1756,10 +1760,15 @@ return False; if (UNMARSHALLING(ps)) { - usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids); - usr->other_sids_attrib = - PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids); - + if (usr->num_other_sids) { + usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids); + usr->other_sids_attrib = + PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids); + } else { + usr->other_sids = NULL; + usr->other_sids_attrib = NULL; + } + if ((num_other_sids != 0) && ((usr->other_sids == NULL) || (usr->other_sids_attrib == NULL))) Index: samba-3.0.24/source/rpc_parse/parse_samr.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_samr.c 2007-02-04 12:59:22.000000000 -0600 +++ samba-3.0.24/source/rpc_parse/parse_samr.c 2007-05-25 12:41:06.000000000 -0500 @@ -3337,7 +3337,7 @@ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3)) return False; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && r_u->num_entries2) { r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2); r_u->uni_dom_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2); } @@ -3476,7 +3476,7 @@ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3)) return False; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && r_u->num_entries2) { r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2); r_u->uni_grp_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2); } @@ -4980,12 +4980,13 @@ return False; } - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps) && r_u->num_rids2) { r_u->rids = PRS_ALLOC_MEM(ps, uint32, r_u->num_rids2); - if (!r_u->rids) { - DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n")); - return False; + if (!r_u->rids) { + DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n")); + return False; + } } for (i = 0; i < r_u->num_rids2; i++) { @@ -5009,12 +5010,13 @@ return False; } - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps) && r_u->num_types2) { r_u->types = PRS_ALLOC_MEM(ps, uint32, r_u->num_types2); - if (!r_u->types) { - DEBUG(0, ("NULL types in samr_io_r_lookup_names\n")); - return False; + if (!r_u->types) { + DEBUG(0, ("NULL types in samr_io_r_lookup_names\n")); + return False; + } } for (i = 0; i < r_u->num_types2; i++) { Index: samba-3.0.24/source/rpc_parse/parse_srv.c =================================================================== --- samba-3.0.24.orig/source/rpc_parse/parse_srv.c 2005-04-18 11:38:20.000000000 -0500 +++ samba-3.0.24/source/rpc_parse/parse_srv.c 2007-05-25 12:41:06.000000000 -0500 @@ -782,7 +782,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info0 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_0, num_entries))) return False; ctr->share.info0 = info0; @@ -808,7 +808,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_1, num_entries))) return False; ctr->share.info1 = info1; @@ -834,7 +834,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info2 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_2,num_entries))) return False; ctr->share.info2 = info2; @@ -859,7 +859,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info501 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_501, num_entries))) return False; ctr->share.info501 = info501; @@ -884,7 +884,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info502 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_502,num_entries))) return False; ctr->share.info502 = info502; @@ -910,7 +910,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1004 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1004,num_entries))) return False; ctr->share.info1004 = info1004; @@ -936,7 +936,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1005 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1005,num_entries))) return False; ctr->share.info1005 = info1005; @@ -956,7 +956,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1006 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1006,num_entries))) return False; ctr->share.info1006 = info1006; @@ -976,7 +976,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1007 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1007,num_entries))) return False; ctr->share.info1007 = info1007; @@ -1002,7 +1002,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info1501 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1501,num_entries))) return False; ctr->share.info1501 = info1501; @@ -2558,7 +2558,7 @@ int num_entries = ctr->num_entries; int i; - if (UNMARSHALLING(ps)) { + if (UNMARSHALLING(ps) && num_entries) { if (!(info3 = PRS_ALLOC_MEM(ps, SRV_FILE_INFO_3, num_entries))) return False; ctr->file.info3 = info3; @@ -3377,7 +3377,7 @@ r_n->disk_enum_ctr.entries_read = entries_read3; - if(UNMARSHALLING(ps)) { + if(UNMARSHALLING(ps) && entries_read3) { DISK_INFO *dinfo; @@ -3386,7 +3386,7 @@ r_n->disk_enum_ctr.disk_info = dinfo; } - for(i=0; i < r_n->disk_enum_ctr.entries_read; i++) { + for(i=0; i < entries_read3; i++) { if(!prs_uint32("unknown", ps, depth, &r_n->disk_enum_ctr.disk_info[i].unknown)) return False;