rpcrt4: Check that strings in SMB, NB and pipe floors are nul-terminated before copying the data.

ce085ed8 · Rob Shearman · Alexandre Julliard · 257bf68f · ce085ed8
Commit ce085ed8 authored Aug 10, 2008 by Rob Shearman Committed by Alexandre Julliard Aug 18, 2008
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

rpc_transport.c dlls/rpcrt4/rpc_transport.c +6 -3

No files found.
--- a/dlls/rpcrt4/rpc_transport.c
+++ b/dlls/rpcrt4/rpc_transport.c
@@ -504,7 +504,8 @@ static RPC_STATUS rpcrt4_ncacn_np_parse_top_of_tower(const unsigned char *tower_
    if ((smb_floor->count_lhs != sizeof(smb_floor->protid)) ||
        (smb_floor->protid != EPM_PROTOCOL_SMB) ||
-        (smb_floor->count_rhs > tower_size))
+        (smb_floor->count_rhs > tower_size) ||
+        (tower_data[smb_floor->count_rhs - 1] != '\0'))
        return EPT_S_NOT_REGISTERED;
    if (endpoint)
@@ -527,7 +528,8 @@ static RPC_STATUS rpcrt4_ncacn_np_parse_top_of_tower(const unsigned char *tower_
    if ((nb_floor->count_lhs != sizeof(nb_floor->protid)) ||
        (nb_floor->protid != EPM_PROTOCOL_NETBIOS) ||
-        (nb_floor->count_rhs > tower_size))
+        (nb_floor->count_rhs > tower_size) ||
+        (tower_data[nb_floor->count_rhs - 1] != '\0'))
        return EPT_S_NOT_REGISTERED;
    if (networkaddr)
@@ -714,7 +716,8 @@ static RPC_STATUS rpcrt4_ncalrpc_parse_top_of_tower(const unsigned char *tower_d
    if ((pipe_floor->count_lhs != sizeof(pipe_floor->protid)) ||
        (pipe_floor->protid != EPM_PROTOCOL_PIPE) ||
-        (pipe_floor->count_rhs > tower_size))
+        (pipe_floor->count_rhs > tower_size) ||
+        (tower_data[pipe_floor->count_rhs - 1] != '\0'))
        return EPT_S_NOT_REGISTERED;
    if (networkaddr)