From 03e63dd9841085ee16993d74dff4e62957298bbd Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 2 Jan 2018 15:56:03 -0800
Subject: CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer
 derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Tue Mar 13 15:58:25 CET 2018 on sn-devel-144
---
 source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index f0226ba9441..f6e680e9c49 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -142,6 +142,11 @@ static void prune_printername_cache(void);
 static const char *canon_servername(const char *servername)
 {
 	const char *pservername = servername;
+
+	if (servername == NULL) {
+		return "";
+	}
+
 	while (*pservername == '\\') {
 		pservername++;
 	}
@@ -2042,6 +2047,10 @@ WERROR _spoolss_DeletePrinterDriver(struct pipes_struct *p,
 		return WERR_ACCESS_DENIED;
 	}
 
+	if (r->in.architecture == NULL || r->in.driver == NULL) {
+		return WERR_INVALID_ENVIRONMENT;
+	}
+
 	/* check that we have a valid driver name first */
 
 	if ((version = get_version_id(r->in.architecture)) == -1) {
@@ -2181,6 +2190,10 @@ WERROR _spoolss_DeletePrinterDriverEx(struct pipes_struct *p,
 		return WERR_ACCESS_DENIED;
 	}
 
+	if (r->in.architecture == NULL || r->in.driver == NULL) {
+		return WERR_INVALID_ENVIRONMENT;
+	}
+
 	/* check that we have a valid driver name first */
 	if (get_version_id(r->in.architecture) == -1) {
 		/* this is what NT returns */
-- 
cgit v1.2.1