valgrind revealed a buffer underwrite in the autogenerated pidl client code. ==4996== Invalid read of size 1 ==4996== at 0x4C278C0: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==4996== by 0x98648A: rpccli_winreg_EnumValue (cli_winreg.c:1755) ==4996== by 0x786E00: winreg_printer_enumvalues (srv_spoolss_util.c:462) ==4996== by 0x78D07D: winreg_enum_printer_dataex (srv_spoolss_util.c:2773) ==4996== by 0x784D00: _spoolss_EnumPrinterDataEx (srv_spoolss_nt.c:8956) ==4996== by 0x7A0EF6: api_spoolss_EnumPrinterDataEx (srv_spoolss.c:5777) ==4996== by 0x7DCB9E: api_rpcTNP (srv_pipe.c:1600) ==4996== by 0x7DC616: api_pipe_request (srv_pipe.c:1533) ==4996== by 0x7DD7C0: process_request_pdu (srv_pipe.c:1790) ==4996== by 0x7DDC72: process_complete_pdu (srv_pipe.c:1847) ==4996== by 0x7DEE1F: process_incoming_data (srv_pipe_hnd.c:213) ==4996== by 0x7DEFB5: write_to_internal_pipe (srv_pipe_hnd.c:239) ==4996== by 0x7E0685: np_write_send (srv_pipe_hnd.c:658) ==4996== by 0x4DA85E: api_dcerpc_cmd (ipc.c:268) ==4996== by 0x4DB7E6: api_fd_reply (ipc.c:478) ==4996== by 0x4DBB18: named_pipe (ipc.c:533) ==4996== by 0x4DBF24: handle_trans (ipc.c:590) ==4996== by 0x4DCC79: reply_trans (ipc.c:775) ==4996== by 0x575E36: switch_message (process.c:1549) ==4996== by 0x575FC9: construct_reply (process.c:1584) ==4996== by 0x576398: process_smb (process.c:1663) ==4996== by 0x577EBE: smbd_server_connection_read_handler (process.c:2320) ==4996== by 0x577F32: smbd_server_connection_handler (process.c:2335) ==4996== by 0x8B334B: run_events (events.c:128) ==4996== by 0x57515B: smbd_server_connection_loop_once (process.c:989) ==4996== by 0x57B2ED: smbd_process (process.c:3144) ==4996== by 0xD912CA: smbd_accept_connection (server.c:437) ==4996== by 0x8B334B: run_events (events.c:128) ==4996== by 0x8B3698: s3_event_loop_once (events.c:191) ==4996== by 0x8B48F3: _tevent_loop_once (tevent.c:494) ==4996== by 0xD920BD: smbd_parent_loop (server.c:732) ==4996== by 0xD9333E: main (server.c:1153) ==4996== Address 0x9c4161e is 1 bytes after a block of size 93 alloc'd ==4996== at 0x4C26C3A: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==4996== by 0xD93F9A: __talloc (talloc.c:405) ==4996== by 0xD942F9: _talloc_named_const (talloc.c:516) ==4996== by 0xD96DAA: _talloc_array (talloc.c:1864) ==4996== by 0xB10ADC: ndr_pull_winreg_EnumValue (ndr_winreg.c:1716) ==4996== by 0x7E22E1: internal_ndr_pull (rpc_ncacn_np_internal.c:243) ==4996== by 0x7E24C9: rpc_pipe_internal_dispatch (rpc_ncacn_np_internal.c:297) ==4996== by 0x9863CA: rpccli_winreg_EnumValue (cli_winreg.c:1735) ==4996== by 0x786E00: winreg_printer_enumvalues (srv_spoolss_util.c:462) ==4996== by 0x78D07D: winreg_enum_printer_dataex (srv_spoolss_util.c:2773) ==4996== by 0x784D00: _spoolss_EnumPrinterDataEx (srv_spoolss_nt.c:8956) ==4996== by 0x7A0EF6: api_spoolss_EnumPrinterDataEx (srv_spoolss.c:5777) ==4996== by 0x7DCB9E: api_rpcTNP (srv_pipe.c:1600) ==4996== by 0x7DC616: api_pipe_request (srv_pipe.c:1533) ==4996== by 0x7DD7C0: process_request_pdu (srv_pipe.c:1790) ==4996== by 0x7DDC72: process_complete_pdu (srv_pipe.c:1847) ==4996== by 0x7DEE1F: process_incoming_data (srv_pipe_hnd.c:213) ==4996== by 0x7DEFB5: write_to_internal_pipe (srv_pipe_hnd.c:239) ==4996== by 0x7E0685: np_write_send (srv_pipe_hnd.c:658) ==4996== by 0x4DA85E: api_dcerpc_cmd (ipc.c:268) ==4996== by 0x4DB7E6: api_fd_reply (ipc.c:478) ==4996== by 0x4DBB18: named_pipe (ipc.c:533) ==4996== by 0x4DBF24: handle_trans (ipc.c:590) ==4996== by 0x4DCC79: reply_trans (ipc.c:775) ==4996== by 0x575E36: switch_message (process.c:1549) ==4996== by 0x575FC9: construct_reply (process.c:1584) ==4996== by 0x576398: process_smb (process.c:1663) ==4996== by 0x577EBE: smbd_server_connection_read_handler (process.c:2320) ==4996== by 0x577F32: smbd_server_connection_handler (process.c:2335) ==4996== by 0x8B334B: run_events (events.c:128) ==4996== by 0x57515B: smbd_server_connection_loop_once (process.c:989) ==4996== by 0x57B2ED: smbd_process (process.c:3144) ==4996== by 0xD912CA: smbd_accept_connection (server.c:437) ==4996== by 0x8B334B: run_events (events.c:128) ==4996== by 0x8B3698: s3_event_loop_once (events.c:191) ==4996== by 0x8B48F3: _tevent_loop_once (tevent.c:494) ==4996== by 0xD920BD: smbd_parent_loop (server.c:732) ==4996== by 0xD9333E: main (server.c:1153) The problem was if the buffer the developer provided to the function was bigger then the result then the result and the memory after it was copied to the buffer. The following patch fixes the problem and should be pushed to v3-4 and v3-5.
Created attachment 5885 [details] Samba3/ClientNDR - Correctly copy arrays, if r.out.size < r.in.size. The patch is from metze and looks fine. I've tested it several times here.
Metze, the patch doesn't apply to v3-5-test. Could you please provide patches for v3-4-test and v3-5-test
Created attachment 5889 [details] Patch for v3-5
Created attachment 5890 [details] Patch for v3-4
Comment on attachment 5889 [details] Patch for v3-5 looks good
Comment on attachment 5890 [details] Patch for v3-4 looks good
Karolin, please proceed.
Pushed to v3-5-test and v3-4-test. Closing out bug report. Thanks!