summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2011-01-19 13:49:51 +0100
committerGünther Deschner <gd@samba.org>2011-01-21 10:58:20 +0100
commit9b1878e538a39b5459a74790b371ef5c098e0642 (patch)
tree597b964f8224147c7fc18ca6666c2b852bbb8eb1
parentaefbec52703a10ebe49ddd4883ea728116825114 (diff)
downloadsamba-9b1878e538a39b5459a74790b371ef5c098e0642.tar.gz
samba-9b1878e538a39b5459a74790b371ef5c098e0642.tar.bz2
samba-9b1878e538a39b5459a74790b371ef5c098e0642.zip
s3-spoolss: disallow storing an invalid devmode size.
Guenther
-rw-r--r--source3/rpc_server/srv_spoolss_util.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_spoolss_util.c b/source3/rpc_server/srv_spoolss_util.c
index 89cdc2dc1f..a0f5a4cfc5 100644
--- a/source3/rpc_server/srv_spoolss_util.c
+++ b/source3/rpc_server/srv_spoolss_util.c
@@ -1773,6 +1773,12 @@ WERROR winreg_update_printer(TALLOC_CTX *mem_ctx,
goto done;
}
}
+
+ if (devmode->size != (ndr_size_spoolss_DeviceMode(devmode, 0) - devmode->__driverextra_length)) {
+ result = WERR_INVALID_PARAM;
+ goto done;
+ }
+
ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, devmode,
(ndr_push_flags_fn_t) ndr_push_spoolss_DeviceMode);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {