diff options
| author | Gerald Carter <jerry@samba.org> | 2005-08-05 00:58:31 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:00:25 -0500 |
| commit | ac42cd59f27de7d753fafd12b4c667073b8758c1 (patch) | |
| tree | 886ef87906eea385387b31a76b0f2745b499af76 /source3/rpc_parse | |
| parent | 777422836ccfd3f2cafa19537534b970bc96fc2b (diff) | |
| download | samba-ac42cd59f27de7d753fafd12b4c667073b8758c1.tar.gz samba-ac42cd59f27de7d753fafd12b4c667073b8758c1.tar.bz2 samba-ac42cd59f27de7d753fafd12b4c667073b8758c1.zip | |
r9086: * fix invalid read in parse_spoolss when writing a devmode to
the wire
* fix dup_a_regval() when size is 0
* ensure we pass a pstring to unlink_internals (fixes delete_driver
code)
(This used to be commit 353e63ff421c564a1b7c7cfe95982f31c871a227)
Diffstat (limited to 'source3/rpc_parse')
| -rw-r--r-- | source3/rpc_parse/parse_spoolss.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c index 2663b09381..2677a4a2df 100644 --- a/source3/rpc_parse/parse_spoolss.c +++ b/source3/rpc_parse/parse_spoolss.c @@ -631,6 +631,8 @@ BOOL spoolss_io_devmode(const char *desc, prs_struct *ps, int depth, DEVICEMODE int available_space; /* size of the device mode left to parse */ /* only important on unmarshalling */ int i = 0; + uint16 *unistr_buffer; + int j; struct optional_fields { fstring name; @@ -662,12 +664,20 @@ BOOL spoolss_io_devmode(const char *desc, prs_struct *ps, int depth, DEVICEMODE depth++; if (UNMARSHALLING(ps)) { - devmode->devicename.buffer = PRS_ALLOC_MEM(ps, uint16, 32); + devmode->devicename.buffer = PRS_ALLOC_MEM(ps, uint16, MAXDEVICENAME); if (devmode->devicename.buffer == NULL) return False; + unistr_buffer = devmode->devicename.buffer; } - - if (!prs_uint16uni(True,"devicename", ps, depth, devmode->devicename.buffer, MAXDEVICENAME)) + else { + /* devicename is a static sized string but the buffer we set is not */ + unistr_buffer = PRS_ALLOC_MEM(ps, uint16, MAXDEVICENAME); + memset( unistr_buffer, 0x0, MAXDEVICENAME ); + for ( j=0; devmode->devicename.buffer[j]; j++ ) + unistr_buffer[j] = devmode->devicename.buffer[j]; + } + + if (!prs_uint16uni(True,"devicename", ps, depth, unistr_buffer, MAXDEVICENAME)) return False; if (!prs_uint16("specversion", ps, depth, &devmode->specversion)) @@ -709,12 +719,20 @@ BOOL spoolss_io_devmode(const char *desc, prs_struct *ps, int depth, DEVICEMODE return False; if (UNMARSHALLING(ps)) { - devmode->formname.buffer = PRS_ALLOC_MEM(ps, uint16, 32); + devmode->formname.buffer = PRS_ALLOC_MEM(ps, uint16, MAXDEVICENAME); if (devmode->formname.buffer == NULL) return False; + unistr_buffer = devmode->formname.buffer; } - - if (!prs_uint16uni(True, "formname", ps, depth, devmode->formname.buffer, 32)) + else { + /* devicename is a static sized string but the buffer we set is not */ + unistr_buffer = PRS_ALLOC_MEM(ps, uint16, MAXDEVICENAME); + memset( unistr_buffer, 0x0, MAXDEVICENAME ); + for ( j=0; devmode->formname.buffer[j]; j++ ) + unistr_buffer[j] = devmode->formname.buffer[j]; + } + + if (!prs_uint16uni(True, "formname", ps, depth, unistr_buffer, MAXDEVICENAME)) return False; if (!prs_uint16("logpixels", ps, depth, &devmode->logpixels)) return False; |