diff options
| -rw-r--r-- | source3/printing/printing.c | 40 | ||||
| -rw-r--r-- | source3/rpc_server/srv_spoolss_nt.c | 2 |
2 files changed, 34 insertions, 8 deletions
diff --git a/source3/printing/printing.c b/source3/printing/printing.c index 0344d44d61..6474c92c69 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -318,6 +318,7 @@ static TDB_DATA print_key(uint32 jobid) int unpack_pjob( char* buf, int buflen, struct printjob *pjob ) { int len = 0; + int used; if ( !buf || !pjob ) return -1; @@ -336,9 +337,14 @@ int unpack_pjob( char* buf, int buflen, struct printjob *pjob ) pjob->jobname, pjob->user, pjob->queuename); - - - len += unpack_devicemode(&pjob->nt_devmode, buf+len, buflen-len); + + if ( len == -1 ) + return -1; + + if ( (used = unpack_devicemode(&pjob->nt_devmode, buf+len, buflen-len)) == -1 ) + return -1; + + len += used; return len; @@ -369,7 +375,8 @@ static struct printjob *print_job_find(int snum, uint32 jobid) ZERO_STRUCT( pjob ); - unpack_pjob( ret.dptr, ret.dsize, &pjob ); + if ( unpack_pjob( ret.dptr, ret.dsize, &pjob ) == -1 ) + return NULL; SAFE_FREE(ret.dptr); return &pjob; @@ -689,10 +696,14 @@ static int traverse_fn_delete(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void uint32 jobid; int i; - if (data.dsize != sizeof(pjob) || key.dsize != sizeof(jobid)) + if ( key.dsize != sizeof(jobid) ) return 0; + memcpy(&jobid, key.dptr, sizeof(jobid)); - memcpy(&pjob, data.dptr, sizeof(pjob)); + if ( unpack_pjob( data.dptr, data.dsize, &pjob ) == -1 ) + return 0; + free_nt_devicemode( &pjob.nt_devmode ); + if (ts->snum != lp_servicenumber(pjob.queuename)) { /* this isn't for the queue we are looking at - this cannot happen with the split tdb's. JRA */ @@ -1681,10 +1692,16 @@ static int traverse_fn_queue(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void * int i; uint32 jobid; + /* sanity checks */ + + if ( key.dsize != sizeof(jobid) ) + return 0; + memcpy(&jobid, key.dptr, sizeof(jobid)); - if ( !unpack_pjob( data.dptr, data.dsize, &pjob ) ) + if ( unpack_pjob( data.dptr, data.dsize, &pjob ) == -1 ) return 0; + free_nt_devicemode( &pjob.nt_devmode ); /* maybe it isn't for this queue */ if (ts->snum != lp_servicenumber(pjob.queuename)) @@ -1723,10 +1740,17 @@ static int traverse_count_fn_queue(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, struct printjob pjob; uint32 jobid; + /* sanity checks */ + + if ( key.dsize != sizeof(jobid) ) + return 0; + memcpy(&jobid, key.dptr, sizeof(jobid)); - if ( !unpack_pjob( data.dptr, data.dsize, &pjob ) ) + if ( unpack_pjob( data.dptr, data.dsize, &pjob ) == -1 ) return 0; + + free_nt_devicemode( &pjob.nt_devmode ); /* maybe it isn't for this queue - this cannot happen with the tdb/printer code. JRA */ if (ts->snum != lp_servicenumber(pjob.queuename)) diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 6953ec3663..2190215107 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -5421,11 +5421,13 @@ static WERROR control_printer(POLICY_HND *handle, uint32 command, errcode = WERR_OK; } break; +#if 0 /* JERRY - Never called */ case PRINTER_CONTROL_PURGE: if (print_queue_purge(&user, snum, &errcode)) { errcode = WERR_OK; } break; +#endif default: return WERR_UNKNOWN_LEVEL; } |