diff options
author | Jeremy Allison <jra@samba.org> | 2000-03-25 01:37:08 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2000-03-25 01:37:08 +0000 |
commit | 614929752ecfc7a2f621bc868406d3d77b63895d (patch) | |
tree | 5100be36de7c47f1b7b2ededbbdf8944fd039ae2 | |
parent | 6814d0f45689d2a17af3d95511208421d10f5fce (diff) | |
download | samba-614929752ecfc7a2f621bc868406d3d77b63895d.tar.gz samba-614929752ecfc7a2f621bc868406d3d77b63895d.tar.bz2 samba-614929752ecfc7a2f621bc868406d3d77b63895d.zip |
rpc_parse/parse_spoolss.c: Added checks on mallocs/overflow checks on all prs_xx
calls.
smbd/connection.c: Fix from David Lee <T.D.Lee@durham.ac.uk>.
Jeremy.
(This used to be commit 53721fbc7d2a986cf999b8f031a2d9003c0dccae)
-rw-r--r-- | source3/rpc_parse/parse_spoolss.c | 424 | ||||
-rw-r--r-- | source3/smbd/connection.c | 116 |
2 files changed, 375 insertions, 165 deletions
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c index 8ff26e090c..d88761e081 100644 --- a/source3/rpc_parse/parse_spoolss.c +++ b/source3/rpc_parse/parse_spoolss.c @@ -55,14 +55,22 @@ This should be moved in a more generic lib. ********************************************************************/ static BOOL spoolss_io_system_time(char *desc, prs_struct *ps, int depth, SYSTEMTIME *systime) { - prs_uint16("year", ps, depth, &(systime->year)); - prs_uint16("month", ps, depth, &(systime->month)); - prs_uint16("dayofweek", ps, depth, &(systime->dayofweek)); - prs_uint16("day", ps, depth, &(systime->day)); - prs_uint16("hour", ps, depth, &(systime->hour)); - prs_uint16("minute", ps, depth, &(systime->minute)); - prs_uint16("second", ps, depth, &(systime->second)); - prs_uint16("milliseconds", ps, depth, &(systime->milliseconds)); + if(!prs_uint16("year", ps, depth, &(systime->year))) + return False; + if(!prs_uint16("month", ps, depth, &(systime->month))) + return False; + if(!prs_uint16("dayofweek", ps, depth, &(systime->dayofweek))) + return False; + if(!prs_uint16("day", ps, depth, &(systime->day))) + return False; + if(!prs_uint16("hour", ps, depth, &(systime->hour))) + return False; + if(!prs_uint16("minute", ps, depth, &(systime->minute))) + return False; + if(!prs_uint16("second", ps, depth, &(systime->second))) + return False; + if(!prs_uint16("milliseconds", ps, depth, &(systime->milliseconds))) + return False; return True; } @@ -93,15 +101,22 @@ static BOOL smb_io_doc_info_1(char *desc, DOC_INFO_1 *info_1, prs_struct *ps, in prs_debug(ps, depth, desc, "smb_io_doc_info_1"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("p_docname", ps, depth, &(info_1->p_docname)); - prs_uint32("p_outputfile", ps, depth, &(info_1->p_outputfile)); - prs_uint32("p_datatype", ps, depth, &(info_1->p_datatype)); + if(!prs_uint32("p_docname", ps, depth, &(info_1->p_docname))) + return False; + if(!prs_uint32("p_outputfile", ps, depth, &(info_1->p_outputfile))) + return False; + if(!prs_uint32("p_datatype", ps, depth, &(info_1->p_datatype))) + return False; - smb_io_unistr2("", &(info_1->docname), info_1->p_docname, ps, depth); - smb_io_unistr2("", &(info_1->outputfile), info_1->p_outputfile, ps, depth); - smb_io_unistr2("", &(info_1->datatype), info_1->p_datatype, ps, depth); + if(!smb_io_unistr2("", &(info_1->docname), info_1->p_docname, ps, depth)) + return False; + if(!smb_io_unistr2("", &(info_1->outputfile), info_1->p_outputfile, ps, depth)) + return False; + if(!smb_io_unistr2("", &(info_1->datatype), info_1->p_datatype, ps, depth)) + return False; return True; } @@ -118,16 +133,20 @@ static BOOL smb_io_doc_info(char *desc, DOC_INFO *info, prs_struct *ps, int dept prs_debug(ps, depth, desc, "smb_io_doc_info"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("switch_value", ps, depth, &(info->switch_value)); + if(!prs_uint32("switch_value", ps, depth, &(info->switch_value))) + return False; - prs_uint32("doc_info_X ptr", ps, depth, &(useless_ptr)); + if(!prs_uint32("doc_info_X ptr", ps, depth, &(useless_ptr))) + return False; switch (info->switch_value) { case 1: - smb_io_doc_info_1("",&(info->doc_info_1), ps, depth); + if(!smb_io_doc_info_1("",&(info->doc_info_1), ps, depth)) + return False; break; case 2: /* @@ -160,11 +179,14 @@ static BOOL smb_io_doc_info_container(char *desc, DOC_INFO_CONTAINER *cont, prs_ prs_debug(ps, depth, desc, "smb_io_doc_info_container"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("level", ps, depth, &(cont->level)); + if(!prs_uint32("level", ps, depth, &(cont->level))) + return False; - smb_io_doc_info("",&(cont->docinfo), ps, depth); + if(!smb_io_doc_info("",&(cont->docinfo), ps, depth)) + return False; return True; } @@ -308,20 +330,28 @@ static BOOL smb_io_notify_info_data(char *desc,SPOOL_NOTIFY_INFO_DATA *data, prs isvalue=data->enc_type; - prs_align(ps); - prs_uint16("type", ps, depth, &(data->type)); - prs_uint16("field", ps, depth, &(data->field)); + if(!prs_align(ps)) + return False; + if(!prs_uint16("type", ps, depth, &(data->type))) + return False; + if(!prs_uint16("field", ps, depth, &(data->field))) + return False; /*prs_align(ps);*/ - prs_uint32("how many words", ps, depth, &how_many_words); - prs_uint32("id", ps, depth, &(data->id)); - prs_uint32("how many words", ps, depth, &how_many_words); + if(!prs_uint32("how many words", ps, depth, &how_many_words)) + return False; + if(!prs_uint32("id", ps, depth, &(data->id))) + return False; + if(!prs_uint32("how many words", ps, depth, &how_many_words)) + return False; /*prs_align(ps);*/ if (isvalue==True) { - prs_uint32("value[0]", ps, depth, &(data->notify_data.value[0])); - prs_uint32("value[1]", ps, depth, &(data->notify_data.value[1])); + if(!prs_uint32("value[0]", ps, depth, &(data->notify_data.value[0]))) + return False; + if(!prs_uint32("value[1]", ps, depth, &(data->notify_data.value[1]))) + return False; /*prs_align(ps);*/ } else @@ -329,8 +359,10 @@ static BOOL smb_io_notify_info_data(char *desc,SPOOL_NOTIFY_INFO_DATA *data, prs /* it's a string */ /* length in ascii including \0 */ x=2*(data->notify_data.data.length+1); - prs_uint32("string length", ps, depth, &x ); - prs_uint32("pointer", ps, depth, &useless_ptr); + if(!prs_uint32("string length", ps, depth, &x )) + return False; + if(!prs_uint32("pointer", ps, depth, &useless_ptr)) + return False; /*prs_align(ps);*/ } @@ -349,17 +381,22 @@ BOOL smb_io_notify_info_data_strings(char *desc,SPOOL_NOTIFY_INFO_DATA *data, prs_debug(ps, depth, desc, "smb_io_notify_info_data"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; + isvalue=data->enc_type; if (isvalue==False) { /* length of string in unicode include \0 */ x=data->notify_data.data.length+1; - prs_uint32("string length", ps, depth, &x ); - prs_uint16s(True,"string",ps,depth,data->notify_data.data.string,x); + if(!prs_uint32("string length", ps, depth, &x )) + return False; + if(!prs_uint16s(True,"string",ps,depth,data->notify_data.data.string,x)) + return False; } - prs_align(ps); + if(!prs_align(ps)) + return False; return True; } @@ -377,20 +414,26 @@ static BOOL smb_io_notify_info(char *desc, SPOOL_NOTIFY_INFO *info, prs_struct * if(!prs_align(ps)) return False; - prs_uint32("count", ps, depth, &(info->count)); - prs_uint32("version", ps, depth, &(info->version)); - prs_uint32("flags", ps, depth, &(info->flags)); - prs_uint32("count", ps, depth, &(info->count)); + if(!prs_uint32("count", ps, depth, &(info->count))) + return False; + if(!prs_uint32("version", ps, depth, &(info->version))) + return False; + if(!prs_uint32("flags", ps, depth, &(info->flags))) + return False; + if(!prs_uint32("count", ps, depth, &(info->count))) + return False; for (i=0;i<info->count;i++) { - smb_io_notify_info_data(desc, &(info->data[i]), ps, depth); + if(!smb_io_notify_info_data(desc, &(info->data[i]), ps, depth)) + return False; } /* now do the strings at the end of the stream */ for (i=0;i<info->count;i++) { - smb_io_notify_info_data_strings(desc, &(info->data[i]), ps, depth); + if(!smb_io_notify_info_data_strings(desc, &(info->data[i]), ps, depth)) + return False; } return True; @@ -546,6 +589,8 @@ static BOOL spoolss_io_devmode(char *desc, prs_struct *ps, int depth, DEVICEMODE { if (UNMARSHALLING(ps)) { devmode->private=(uint8 *)malloc(devmode->driverextra*sizeof(uint8)); + if(devmode->private == NULL) + return False; DEBUG(7,("spoolss_io_devmode: allocated memory [%d] for private\n",devmode->driverextra)); } @@ -588,6 +633,8 @@ static BOOL spoolss_io_devmode_cont(char *desc, DEVMODE_CTR *dm_c, prs_struct *p if (UNMARSHALLING(ps)) { DEBUG(9,("Allocating memory for spoolss_io_devmode\n")); dm_c->devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE)); + if(dm_c->devmode == NULL) + return False; ZERO_STRUCTP(dm_c->devmode); } @@ -869,11 +916,14 @@ BOOL spoolss_io_q_startdocprinter(char *desc, SPOOL_Q_STARTDOCPRINTER *q_u, prs_ prs_debug(ps, depth, desc, "spoolss_io_q_startdocprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; - smb_io_doc_info_container("",&(q_u->doc_info_container), ps, depth); + if(!smb_io_doc_info_container("",&(q_u->doc_info_container), ps, depth)) + return False; return True; } @@ -886,8 +936,10 @@ BOOL spoolss_io_r_startdocprinter(char *desc, SPOOL_R_STARTDOCPRINTER *r_u, prs_ { prs_debug(ps, depth, desc, "spoolss_io_r_startdocprinter"); depth++; - prs_uint32("jobid", ps, depth, &(r_u->jobid)); - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("jobid", ps, depth, &(r_u->jobid))) + return False; + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -903,9 +955,11 @@ BOOL spoolss_io_q_enddocprinter(char *desc, SPOOL_Q_ENDDOCPRINTER *q_u, prs_stru prs_debug(ps, depth, desc, "spoolss_io_q_enddocprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; return True; } @@ -918,7 +972,8 @@ BOOL spoolss_io_r_enddocprinter(char *desc, SPOOL_R_ENDDOCPRINTER *r_u, prs_stru { prs_debug(ps, depth, desc, "spoolss_io_r_enddocprinter"); depth++; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -934,9 +989,11 @@ BOOL spoolss_io_q_startpageprinter(char *desc, SPOOL_Q_STARTPAGEPRINTER *q_u, pr prs_debug(ps, depth, desc, "spoolss_io_q_startpageprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; return True; } @@ -949,7 +1006,8 @@ BOOL spoolss_io_r_startpageprinter(char *desc, SPOOL_R_STARTPAGEPRINTER *r_u, pr { prs_debug(ps, depth, desc, "spoolss_io_r_startpageprinter"); depth++; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -965,9 +1023,11 @@ BOOL spoolss_io_q_endpageprinter(char *desc, SPOOL_Q_ENDPAGEPRINTER *q_u, prs_st prs_debug(ps, depth, desc, "spoolss_io_q_endpageprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; return True; } @@ -980,7 +1040,8 @@ BOOL spoolss_io_r_endpageprinter(char *desc, SPOOL_R_ENDPAGEPRINTER *r_u, prs_st { prs_debug(ps, depth, desc, "spoolss_io_r_endpageprinter"); depth++; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -996,18 +1057,26 @@ BOOL spoolss_io_q_writeprinter(char *desc, SPOOL_Q_WRITEPRINTER *q_u, prs_struct prs_debug(ps, depth, desc, "spoolss_io_q_writeprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); - prs_uint32("buffer_size", ps, depth, &(q_u->buffer_size)); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; + if(!prs_uint32("buffer_size", ps, depth, &(q_u->buffer_size))) + return False; if (q_u->buffer_size!=0) { q_u->buffer=(uint8 *)malloc(q_u->buffer_size*sizeof(uint8)); - prs_uint8s(True, "buffer", ps, depth, q_u->buffer, q_u->buffer_size); + if(q_u->buffer == NULL) + return False; + if(!prs_uint8s(True, "buffer", ps, depth, q_u->buffer, q_u->buffer_size)) + return False; } - prs_align(ps); - prs_uint32("buffer_size2", ps, depth, &(q_u->buffer_size2)); + if(!prs_align(ps)) + return False; + if(!prs_uint32("buffer_size2", ps, depth, &(q_u->buffer_size2))) + return False; return True; } @@ -1020,8 +1089,10 @@ BOOL spoolss_io_r_writeprinter(char *desc, SPOOL_R_WRITEPRINTER *r_u, prs_struct { prs_debug(ps, depth, desc, "spoolss_io_r_writeprinter"); depth++; - prs_uint32("buffer_written", ps, depth, &(r_u->buffer_written)); - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("buffer_written", ps, depth, &(r_u->buffer_written))) + return False; + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -2605,9 +2676,11 @@ BOOL spoolss_io_r_setprinter(char *desc, SPOOL_R_SETPRINTER *r_u, prs_struct *ps prs_debug(ps, depth, desc, "spoolss_io_r_setprinter"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -2633,8 +2706,10 @@ BOOL spoolss_io_q_setprinter(char *desc, SPOOL_Q_SETPRINTER *q_u, prs_struct *ps if (!spoolss_io_devmode_cont(desc, &q_u->devmode_ctr, ps, depth)) return False; - prs_uint32("security.size_of_buffer", ps, depth, &q_u->security.size_of_buffer); - prs_uint32("security.data", ps, depth, &q_u->security.data); + if(!prs_uint32("security.size_of_buffer", ps, depth, &q_u->security.size_of_buffer)) + return False; + if(!prs_uint32("security.data", ps, depth, &q_u->security.data)) + return False; if(!prs_uint32("command", ps, depth, &q_u->command)) return False; @@ -2649,9 +2724,11 @@ BOOL spoolss_io_r_fcpn(char *desc, SPOOL_R_FCPN *r_u, prs_struct *ps, int depth) prs_debug(ps, depth, desc, "spoolss_io_r_fcpn"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -2664,9 +2741,11 @@ BOOL spoolss_io_q_fcpn(char *desc, SPOOL_Q_FCPN *q_u, prs_struct *ps, int depth) prs_debug(ps, depth, desc, "spoolss_io_q_fcpn"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; return True; } @@ -2802,9 +2881,11 @@ BOOL spoolss_io_r_schedulejob(char *desc, SPOOL_R_SCHEDULEJOB *r_u, prs_struct * prs_debug(ps, depth, desc, "spoolss_io_r_schedulejob"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -2816,10 +2897,13 @@ BOOL spoolss_io_q_schedulejob(char *desc, SPOOL_Q_SCHEDULEJOB *q_u, prs_struct * prs_debug(ps, depth, desc, "spoolss_io_q_schedulejob"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); - prs_uint32("jobid", ps, depth, &(q_u->jobid)); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; + if(!prs_uint32("jobid", ps, depth, &(q_u->jobid))) + return False; return True; } @@ -2831,9 +2915,11 @@ BOOL spoolss_io_r_setjob(char *desc, SPOOL_R_SETJOB *r_u, prs_struct *ps, int de prs_debug(ps, depth, desc, "spoolss_io_r_setjob"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -2845,16 +2931,21 @@ BOOL spoolss_io_q_setjob(char *desc, SPOOL_Q_SETJOB *q_u, prs_struct *ps, int de prs_debug(ps, depth, desc, "spoolss_io_q_setjob"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; - smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth); - prs_uint32("jobid", ps, depth, &(q_u->jobid)); + if(!smb_io_pol_hnd("printer handle",&(q_u->handle),ps,depth)) + return False; + if(!prs_uint32("jobid", ps, depth, &(q_u->jobid))) + return False; /* * level is usually 0. If (level!=0) then I'm in trouble ! * I will try to generate setjob command with level!=0, one day. */ - prs_uint32("level", ps, depth, &(q_u->level)); - prs_uint32("command", ps, depth, &(q_u->command)); + if(!prs_uint32("level", ps, depth, &(q_u->level))) + return False; + if(!prs_uint32("command", ps, depth, &(q_u->command))) + return False; return True; } @@ -3191,14 +3282,20 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s * and by setprinter when updating printer's info */ case 1: - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps)) { il->info_1=(SPOOL_PRINTER_INFO_LEVEL_1 *)malloc(sizeof(SPOOL_PRINTER_INFO_LEVEL_1)); + if(il->info_1 == NULL) + return False; + } if (!spool_io_printer_info_level_1("", il->info_1, ps, depth)) return False; break; case 2: - if (UNMARSHALLING(ps)) + if (UNMARSHALLING(ps)) { il->info_2=(SPOOL_PRINTER_INFO_LEVEL_2 *)malloc(sizeof(SPOOL_PRINTER_INFO_LEVEL_2)); + if(il->info_2 == NULL) + return False; + } if (!spool_io_printer_info_level_2("", il->info_2, ps, depth)) return False; break; @@ -3270,9 +3367,11 @@ BOOL spoolss_io_r_addprinterex(char *desc, SPOOL_R_ADDPRINTEREX *r_u, prs_struct prs_debug(ps, depth, desc, "spoolss_io_r_addprinterex"); depth++; - smb_io_pol_hnd("printer handle",&(r_u->handle),ps,depth); + if(!smb_io_pol_hnd("printer handle",&(r_u->handle),ps,depth)) + return False; - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -3290,6 +3389,8 @@ BOOL spool_io_printer_driver_info_level_3(char *desc, SPOOL_PRINTER_DRIVER_INFO_ /* reading */ if (UNMARSHALLING(ps)) { il=(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 *)malloc(sizeof(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3)); + if(il == NULL) + return False; ZERO_STRUCTP(il); *q_u=il; } @@ -3381,7 +3482,9 @@ BOOL uniarray_2_ascarray(BUFFER5 *buf5, char ***ar) src=buf5->buffer; string=(char *)malloc(sizeof(char)*buf5->buf_len); - + if(string == NULL) + return False; + destend = string + buf5->buf_len; dest=string; @@ -3392,6 +3495,8 @@ BOOL uniarray_2_ascarray(BUFFER5 *buf5, char ***ar) /* that ugly for the first one but that's working */ array=(char **)Realloc(array, sizeof(char *)*(i+1)); + if(array == NULL) + return False; array[i++]=string; while ( n < buf5->buf_len ) @@ -3399,6 +3504,8 @@ BOOL uniarray_2_ascarray(BUFFER5 *buf5, char ***ar) if ( *(string++) == '\0' ) { array=(char **)Realloc(array, sizeof(char *)*(i+1)); + if(array == NULL) + return False; array[i++]=string; } n++; @@ -3422,10 +3529,11 @@ BOOL smb_io_unibuffer(char *desc, UNISTR2 *buffer, prs_struct *ps, int depth) buffer->undoc=0; buffer->uni_str_len=buffer->uni_max_len; - prs_uint32("buffer_size", ps, depth, &(buffer->uni_max_len)); - - prs_unistr2(True, "buffer ", ps, depth, buffer); + if(!prs_uint32("buffer_size", ps, depth, &(buffer->uni_max_len))) + return False; + if(!prs_unistr2(True, "buffer ", ps, depth, buffer)) + return False; return True; } @@ -3449,7 +3557,8 @@ BOOL spool_io_printer_driver_info_level(char *desc, SPOOL_PRINTER_DRIVER_INFO_LE switch (il->level) { case 3: - spool_io_printer_driver_info_level_3("", &(il->info_3), ps, depth); + if(!spool_io_printer_driver_info_level_3("", &(il->info_3), ps, depth)) + return False; break; } @@ -3508,6 +3617,8 @@ BOOL uni_2_asc_printer_driver_3(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 *uni, if (*asc==NULL) { *asc=(NT_PRINTER_DRIVER_INFO_LEVEL_3 *)malloc(sizeof(NT_PRINTER_DRIVER_INFO_LEVEL_3)); + if(*asc == NULL) + return False; ZERO_STRUCTP(*asc); } @@ -3554,6 +3665,8 @@ BOOL uni_2_asc_printer_info_2(const SPOOL_PRINTER_INFO_LEVEL_2 *uni, DEBUGADD(8,("allocating memory\n")); *asc=(NT_PRINTER_INFO_LEVEL_2 *)malloc(sizeof(NT_PRINTER_INFO_LEVEL_2)); + if(*asc == NULL) + return False; ZERO_STRUCTP(*asc); /* we allocate memory iff called from @@ -3931,15 +4044,21 @@ BOOL spoolss_io_q_setprinterdata(char *desc, SPOOL_Q_SETPRINTERDATA *q_u, prs_st prs_debug(ps, depth, desc, "spoolss_io_q_setprinterdata"); depth++; - prs_align(ps); - smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth); - smb_io_unistr2("", &(q_u->value), True, ps, depth); + if(!prs_align(ps)) + return False; + if(!smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth)) + return False; + if(!smb_io_unistr2("", &(q_u->value), True, ps, depth)) + return False; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("type", ps, depth, &(q_u->type)); + if(!prs_uint32("type", ps, depth, &(q_u->type))) + return False; - prs_uint32("max_len", ps, depth, &(q_u->max_len)); + if(!prs_uint32("max_len", ps, depth, &(q_u->max_len))) + return False; switch (q_u->type) { @@ -3948,12 +4067,17 @@ BOOL spoolss_io_q_setprinterdata(char *desc, SPOOL_Q_SETPRINTERDATA *q_u, prs_st case 0x4: case 0x7: q_u->data=(uint8 *)malloc(q_u->max_len * sizeof(uint8)); - prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len); - prs_align(ps); + if(q_u->data == NULL) + return False; + if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len)) + return False; + if(!prs_align(ps)) + return False; break; } - prs_uint32("real_len", ps, depth, &(q_u->real_len)); + if(!prs_uint32("real_len", ps, depth, &(q_u->real_len))) + return False; return True; } @@ -3965,8 +4089,10 @@ BOOL spoolss_io_r_setprinterdata(char *desc, SPOOL_R_SETPRINTERDATA *r_u, prs_st prs_debug(ps, depth, desc, "spoolss_io_r_setprinterdata"); depth++; - prs_align(ps); - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_align(ps)) + return False; + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -3981,6 +4107,8 @@ BOOL convert_specific_param(NT_PRINTER_PARAM **param, const UNISTR2 *value, if (*param == NULL) { *param=(NT_PRINTER_PARAM *)malloc(sizeof(NT_PRINTER_PARAM)); + if(*param == NULL) + return False; ZERO_STRUCTP(*param); DEBUGADD(6,("Allocated a new PARAM struct\n")); } @@ -3993,6 +4121,8 @@ BOOL convert_specific_param(NT_PRINTER_PARAM **param, const UNISTR2 *value, (*param)->data_len=len; (*param)->data=(uint8 *)malloc(len * sizeof(uint8)); + if((*param)->data == NULL) + return False; memcpy((*param)->data, data, len); @@ -4007,20 +4137,30 @@ static BOOL spoolss_io_addform(char *desc, FORM *f, uint32 ptr, prs_struct *ps, { prs_debug(ps, depth, desc, "spoolss_io_addform"); depth++; - prs_align(ps); + if(!prs_align(ps)) + return False; if (ptr!=0) { - prs_uint32("flags", ps, depth, &(f->flags)); - prs_uint32("name_ptr", ps, depth, &(f->name_ptr)); - prs_uint32("size_x", ps, depth, &(f->size_x)); - prs_uint32("size_y", ps, depth, &(f->size_y)); - prs_uint32("left", ps, depth, &(f->left)); - prs_uint32("top", ps, depth, &(f->top)); - prs_uint32("right", ps, depth, &(f->right)); - prs_uint32("bottom", ps, depth, &(f->bottom)); - - smb_io_unistr2("", &(f->name), f->name_ptr, ps, depth); + if(!prs_uint32("flags", ps, depth, &(f->flags))) + return False; + if(!prs_uint32("name_ptr", ps, depth, &(f->name_ptr))) + return False; + if(!prs_uint32("size_x", ps, depth, &(f->size_x))) + return False; + if(!prs_uint32("size_y", ps, depth, &(f->size_y))) + return False; + if(!prs_uint32("left", ps, depth, &(f->left))) + return False; + if(!prs_uint32("top", ps, depth, &(f->top))) + return False; + if(!prs_uint32("right", ps, depth, &(f->right))) + return False; + if(!prs_uint32("bottom", ps, depth, &(f->bottom))) + return False; + + if(!smb_io_unistr2("", &(f->name), f->name_ptr, ps, depth)) + return False; } return True; @@ -4034,15 +4174,21 @@ BOOL spoolss_io_q_addform(char *desc, SPOOL_Q_ADDFORM *q_u, prs_struct *ps, int prs_debug(ps, depth, desc, "spoolss_io_q_addform"); depth++; - prs_align(ps); - smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth); - prs_uint32("level", ps, depth, &(q_u->level)); - prs_uint32("level2", ps, depth, &(q_u->level2)); + if(!prs_align(ps)) + return False; + if(!smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth)) + return False; + if(!prs_uint32("level", ps, depth, &(q_u->level))) + return False; + if(!prs_uint32("level2", ps, depth, &(q_u->level2))) + return False; if (q_u->level==1) { - prs_uint32("useless_ptr", ps, depth, &(useless_ptr)); - spoolss_io_addform("", &(q_u->form), useless_ptr, ps, depth); + if(!prs_uint32("useless_ptr", ps, depth, &(useless_ptr))) + return False; + if(!spoolss_io_addform("", &(q_u->form), useless_ptr, ps, depth)) + return False; } return True; @@ -4055,8 +4201,10 @@ BOOL spoolss_io_r_addform(char *desc, SPOOL_R_ADDFORM *r_u, prs_struct *ps, int prs_debug(ps, depth, desc, "spoolss_io_r_addform"); depth++; - prs_align(ps); - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_align(ps)) + return False; + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } @@ -4069,19 +4217,27 @@ BOOL spoolss_io_q_setform(char *desc, SPOOL_Q_SETFORM *q_u, prs_struct *ps, int prs_debug(ps, depth, desc, "spoolss_io_q_setform"); depth++; - prs_align(ps); - smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth); - smb_io_unistr2("", &(q_u->name), True, ps, depth); + if(!prs_align(ps)) + return False; + if(!smb_io_pol_hnd("printer handle", &(q_u->handle), ps, depth)) + return False; + if(!smb_io_unistr2("", &(q_u->name), True, ps, depth)) + return False; - prs_align(ps); + if(!prs_align(ps)) + return False; - prs_uint32("level", ps, depth, &(q_u->level)); - prs_uint32("level2", ps, depth, &(q_u->level2)); + if(!prs_uint32("level", ps, depth, &(q_u->level))) + return False; + if(!prs_uint32("level2", ps, depth, &(q_u->level2))) + return False; if (q_u->level==1) { - prs_uint32("useless_ptr", ps, depth, &(useless_ptr)); - spoolss_io_addform("", &(q_u->form), useless_ptr, ps, depth); + if(!prs_uint32("useless_ptr", ps, depth, &(useless_ptr))) + return False; + if(!spoolss_io_addform("", &(q_u->form), useless_ptr, ps, depth)) + return False; } return True; @@ -4094,8 +4250,10 @@ BOOL spoolss_io_r_setform(char *desc, SPOOL_R_SETFORM *r_u, prs_struct *ps, int prs_debug(ps, depth, desc, "spoolss_io_r_setform"); depth++; - prs_align(ps); - prs_uint32("status", ps, depth, &(r_u->status)); + if(!prs_align(ps)) + return False; + if(!prs_uint32("status", ps, depth, &(r_u->status))) + return False; return True; } diff --git a/source3/smbd/connection.c b/source3/smbd/connection.c index 972ffa52dd..95645bfdf6 100644 --- a/source3/smbd/connection.c +++ b/source3/smbd/connection.c @@ -216,7 +216,65 @@ static int utmp_fill(struct utmp *u, const connection_struct *conn, pid_t pid, i return(rc); } -static void utmp_update(const pstring dirname, const struct utmp *u, const char *host) +/* Default path (if possible) */ +#ifdef HAVE_UTMPX_H + +# ifdef UTMPX_FILE +static char *ut_pathname = UTMPX_FILE; +# else +static char *ut_pathname = ""; +# endif +# ifdef WTMPX_FILE +static char *wt_pathname = WTMPX_FILE; +# else +static char *wt_pathname = ""; +# endif + +#else /* HAVE_UTMPX_H */ + +# ifdef UTMP_FILE +static char *ut_pathname = UTMP_FILE; +# else +static char *ut_pathname = ""; +# endif +# ifdef WTMP_FILE +static char *wt_pathname = WTMP_FILE; +# else +static char *wt_pathname = ""; +# endif + +#endif /* HAVE_UTMPX_H */ + +static void uw_pathname(pstring fname, const char *uw_name) +{ + pstring dirname; + + pstrcpy(dirname,lp_utmpdir()); + trim_string(dirname,"","/"); + + /* Given directory: use it */ + if (dirname != 0 && strlen(dirname) != 0) { + pstrcpy(fname, dirname); + pstrcat(fname, "/"); + pstrcat(fname, uw_name); + return; + } + + /* No given directory: attempt to use default paths */ + if (uw_name[0] == 'u') { + pstrcpy(fname, ut_pathname); + return; + } + + if (uw_name[0] == 'w') { + pstrcpy(fname, wt_pathname); + return; + } + + pstrcpy(fname, ""); +} + +static void utmp_update(const struct utmp *u, const char *host) { pstring fname; @@ -231,64 +289,62 @@ static void utmp_update(const pstring dirname, const struct utmp *u, const char pstrcpy(ux.ut_host, host); } - pstrcpy(fname, dirname); - pstrcat(fname, "utmpx"); - utmpxname(fname); + uw_pathname(fname, "utmpx"); + DEBUG(2,("utmp_update: fname:%s\n", fname)); + if (strlen(fname) != 0) { + utmpxname(fname); + } uxrc = pututxline(&ux); if (uxrc == NULL) { DEBUG(2,("utmp_update: pututxline() failed\n")); return; } - pstrcpy(fname, dirname); - pstrcat(fname, "wtmpx"); - updwtmpx(fname, &ux); + uw_pathname(fname, "wtmpx"); + DEBUG(2,("utmp_update: fname:%s\n", fname)); + if (strlen(fname) != 0) { + updwtmpx(fname, &ux); + } #else - pstrcpy(fname, dirname); - pstrcat(fname, "utmp"); - - utmpname(fname); + uw_pathname(fname, "utmp"); + DEBUG(2,("utmp_update: fname:%s\n", fname)); + if (strlen(fname) != 0) { + utmpname(fname); + } pututline(u); - pstrcpy(fname, dirname); - pstrcat(fname, "wtmp"); + uw_pathname(fname, "wtmp"); - /* *** OK. Appending wtmp (as distinct from overwriting utmp) has + /* *** Hmmm. Appending wtmp (as distinct from overwriting utmp) has me baffled. How is it to be done? *** */ #endif } -static void utmp_yield(int pid, const connection_struct *conn) +static void utmp_yield(pid_t pid, const connection_struct *conn) { struct utmp u; - pstring dirname; if (! lp_utmp(SNUM(conn))) { DEBUG(2,("utmp_yield: lp_utmp() NULL\n")); return; } - pstrcpy(dirname,lp_utmpdir()); - trim_string(dirname,"","/"); - pstrcat(dirname,"/"); - - DEBUG(2,("utmp_yield: dir:%s conn: user:%s cnum:%d i:%d\n", - dirname, conn->user, conn->cnum, conn->cnum)); + DEBUG(2,("utmp_yield: conn: user:%s cnum:%d i:%d\n", + conn->user, conn->cnum, i)); memset((char *)&u, '\0', sizeof(struct utmp)); u.ut_type = DEAD_PROCESS; u.ut_exit.e_termination = 0; u.ut_exit.e_exit = 0; if (utmp_fill(&u, conn, pid, conn->cnum) == 0) { - utmp_update(dirname, &u, NULL); + utmp_update(&u, NULL); } } -static void utmp_claim(const struct connections_data *crec, const connection_struct *conn) +static void utmp_claim(const struct connect_record *crec, const connection_struct *conn) { extern int Client; struct utmp u; - pstring dirname; if (conn == NULL) { DEBUG(2,("utmp_claim: conn NULL\n")); @@ -300,12 +356,8 @@ static void utmp_claim(const struct connections_data *crec, const connection_str return; } - pstrcpy(dirname,lp_utmpdir()); - trim_string(dirname,"","/"); - pstrcat(dirname,"/"); - - DEBUG(2,("utmp_claim: dir:%s conn: user:%s cnum:%d i:%d\n", - dirname, conn->user, conn->cnum, conn->cnum)); + DEBUG(2,("utmp_claim: conn: user:%s cnum:%d i:%d\n", + conn->user, conn->cnum, i)); DEBUG(2,("utmp_claim: crec: pid:%d, cnum:%d name:%s addr:%s mach:%s DNS:%s\n", crec->pid, crec->cnum, crec->name, crec->addr, crec->machine, client_name(Client))); @@ -313,7 +365,7 @@ static void utmp_claim(const struct connections_data *crec, const connection_str memset((char *)&u, '\0', sizeof(struct utmp)); u.ut_type = USER_PROCESS; if (utmp_fill(&u, conn, crec->pid, conn->cnum) == 0) { - utmp_update(dirname, &u, crec->machine); + utmp_update(&u, crec->machine); } } |