diff options
| author | David Disseldorp <ddiss@samba.org> | 2014-12-17 15:21:33 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2014-12-19 15:40:42 +0100 |
| commit | fb9ecb044ee986ab3496da6cbad162a224378475 (patch) | |
| tree | 1c24ed734a7861e417247b823263e117236e0d45 | |
| parent | 89869e090c56a3f83b451b437f9c3f40a231dd24 (diff) | |
| download | samba-fb9ecb044ee986ab3496da6cbad162a224378475.tar.gz | |
spoolss: clear DriverInfo on GetPrinterDriver2 error
In handling a spoolss GetPrinterDriver2 request, the handler may
return an immediate error if one of the input parameters is invalid.
If this is done without zeroing the pre-allocated @info pointer, then
marshalling of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
| -rw-r--r-- | source3/rpc_server/spoolss/srv_spoolss_nt.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index c71eb911097..9023ab672ff 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -5686,14 +5686,16 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p, /* that's an [in out] buffer */ if (!r->in.buffer && (r->in.offered != 0)) { - return WERR_INVALID_PARAM; + result = WERR_INVALID_PARAM; + goto err_info_free; } DEBUG(4,("_spoolss_GetPrinterDriver2\n")); if (!(printer = find_printer_index_by_hnd(p, r->in.handle))) { DEBUG(0,("_spoolss_GetPrinterDriver2: invalid printer handle!\n")); - return WERR_INVALID_PRINTER_NAME; + result = WERR_INVALID_PRINTER_NAME; + goto err_info_free; } *r->out.needed = 0; @@ -5701,7 +5703,8 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p, *r->out.server_minor_version = 0; if (!get_printer_snum(p, r->in.handle, &snum, NULL)) { - return WERR_BADFID; + result = WERR_BADFID; + goto err_info_free; } if (r->in.client_major_version == SPOOLSS_DRIVER_VERSION_2012) { @@ -5718,8 +5721,7 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p, r->in.architecture, version); if (!W_ERROR_IS_OK(result)) { - TALLOC_FREE(r->out.info); - return result; + goto err_info_free; } *r->out.needed = SPOOLSS_BUFFER_UNION(spoolss_DriverInfo, @@ -5727,6 +5729,10 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p, r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL); return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER); + +err_info_free: + TALLOC_FREE(r->out.info); + return result; } |