From 0cc138993573a8337c335563ba3c5936d260f298 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 2 Jun 2000 21:16:39 +0000
Subject: More memory leak and PANIC action fixes. This is *horrible* code :-(.
 Jeremy. (This used to be commit ac383bb765ea606fc1105aa91470fcdf453d9335)

---
 source3/include/proto.h             |  7 ++-
 source3/rpc_parse/parse_prs.c       |  3 ++
 source3/rpc_parse/parse_spoolss.c   | 97 ++++++++++++++++++++++++++-----------
 source3/rpc_server/srv_spoolss_nt.c | 11 +++--
 4 files changed, 86 insertions(+), 32 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 050de09c65..a221cca22c 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -2598,8 +2598,13 @@ BOOL spoolss_io_r_setform(char *desc, SPOOL_R_SETFORM *r_u, prs_struct *ps, int
 BOOL spoolss_io_r_getjob(char *desc, SPOOL_R_GETJOB *r_u, prs_struct *ps, int depth);
 BOOL spoolss_io_q_getjob(char *desc, SPOOL_Q_GETJOB *q_u, prs_struct *ps, int depth);
 void free_devmode(DEVICEMODE *devmode);
-void free_printer_info_3(PRINTER_INFO_3 *printer);
+void free_printer_info_1(PRINTER_INFO_1 *printer);
 void free_printer_info_2(PRINTER_INFO_2 *printer);
+void free_printer_info_3(PRINTER_INFO_3 *printer);
+void free_spool_printer_info_1(SPOOL_PRINTER_INFO_LEVEL_1 *printer);
+void free_spool_printer_info_2(SPOOL_PRINTER_INFO_LEVEL_2 *printer);
+void free_spool_printer_info_3(SPOOL_PRINTER_INFO_LEVEL_3 *printer);
+void free_spool_printer_info_level(SPOOL_PRINTER_INFO_LEVEL *pil);
 void free_print2_array(uint32 num_entries, PRINTER_INFO_2 **entries);
 void free_print1_array(uint32 num_entries, PRINTER_INFO_1 **entries);
 void free_job1_array(uint32 num_entries, JOB_INFO_1 **entries);
diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index 422b420a3c..0e057e9403 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -232,6 +232,9 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space)
 		if ((new_data = Realloc(ps->data_p, new_size)) == NULL) {
 			DEBUG(0,("prs_grow: Realloc failure for size %u.\n",
 				(unsigned int)new_size));
+			/* JRATEST */
+			smb_panic("prs_grow: ralloc fail\n");
+			/* JRATEST */
 			return False;
 		}
 
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c
index e81f0c286f..55bfd4fe57 100644
--- a/source3/rpc_parse/parse_spoolss.c
+++ b/source3/rpc_parse/parse_spoolss.c
@@ -270,12 +270,12 @@ static BOOL smb_io_notify_option_type_ctr(char *desc, SPOOL_NOTIFY_OPTION_TYPE_C
 		
 	/* the option type struct */
 	for(i=0;i<ctr->count;i++)
-		if(!smb_io_notify_option_type("", &(ctr->type[i]) , ps, depth))
+		if(!smb_io_notify_option_type("", &ctr->type[i] , ps, depth))
 			return False;
 
 	/* the type associated with the option type struct */
 	for(i=0;i<ctr->count;i++)
-		if(!smb_io_notify_option_type_data("", &(ctr->type[i]) , ps, depth))
+		if(!smb_io_notify_option_type_data("", &ctr->type[i] , ps, depth))
 			return False;
 	
 	return True;
@@ -1473,20 +1473,20 @@ static BOOL new_smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, ui
 static BOOL new_smb_io_relsecdesc(char *desc, NEW_BUFFER *buffer, int depth,
 		SEC_DESC **secdesc)
 {
-	prs_struct *ps=&(buffer->prs);
+	prs_struct *ps= &buffer->prs;
 
 	prs_debug(ps, depth, desc, "new_smb_io_relsecdesc");
 	depth++;
 
-	if (MARSHALLING(ps))
-	{
+	if (MARSHALLING(ps)) {
 		uint32 struct_offset = prs_offset(ps);
 		uint32 relative_offset;
 		
-		if (*secdesc != NULL)
-		{
-			buffer->string_at_end -= 256; /* HACK! */
-			
+		if (*secdesc != NULL) {
+#if 0 /* JRA */
+			buffer->string_at_end -= 256; /* HACK! */ 
+#endif
+
 			prs_set_offset(ps, buffer->string_at_end);
 			
 			/* write the secdesc */
@@ -1500,9 +1500,7 @@ static BOOL new_smb_io_relsecdesc(char *desc, NEW_BUFFER *buffer, int depth,
 		/* write its offset */
 		if (!prs_uint32("offset", ps, depth, &relative_offset))
 			return False;
-	}
-	else
-	{
+	} else {
 		uint32 old_offset;
 		
 		/* read the offset */
@@ -2874,12 +2872,14 @@ BOOL spoolss_io_r_setprinter(char *desc, SPOOL_R_SETPRINTER *r_u, prs_struct *ps
 }
 
 /*******************************************************************
- Delete the dynamic parts of a SPOOL_Q_SETPRINTE struct.
+ Delete the dynamic parts of a SPOOL_Q_SETPRINTER struct.
 ********************************************************************/  
 
 void free_spoolss_q_setprinter(SPOOL_Q_SETPRINTER *q_u)
 {
+	free_spool_printer_info_level(&q_u->info);
 	free_sec_desc_buf( &q_u->secdesc_ctr );
+	free_devmode( q_u->devmode_ctr.devmode );
 }
 
 /*******************************************************************
@@ -3519,6 +3519,7 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
 			if (UNMARSHALLING(ps)) {
 				if ((il->info_1=(SPOOL_PRINTER_INFO_LEVEL_1 *)malloc(sizeof(SPOOL_PRINTER_INFO_LEVEL_1))) == NULL)
 					return False;
+				ZERO_STRUCTP(il->info_1);
 			}
 			if (!spool_io_printer_info_level_1("", il->info_1, ps, depth))
 				return False;
@@ -3528,6 +3529,7 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
 			if (UNMARSHALLING(ps)) {
 				if ((il->info_2=(SPOOL_PRINTER_INFO_LEVEL_2 *)malloc(sizeof(SPOOL_PRINTER_INFO_LEVEL_2))) == NULL)
 					return False;
+				ZERO_STRUCTP(il->info_2);
 			}
 			if (!spool_io_printer_info_level_2("", il->info_2, ps, depth))
 				return False;
@@ -3537,6 +3539,7 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
 			if (UNMARSHALLING(ps)) {
 				if ((il->info_3=(SPOOL_PRINTER_INFO_LEVEL_3 *)malloc(sizeof(SPOOL_PRINTER_INFO_LEVEL_3))) == NULL)
 					return False;
+				ZERO_STRUCTP(il->info_3);
 			}
 			if (!spool_io_printer_info_level_3("", il->info_3, ps, depth))
 				return False;
@@ -4769,29 +4772,72 @@ BOOL spoolss_io_q_getjob(char *desc, SPOOL_Q_GETJOB *q_u, prs_struct *ps, int de
 void free_devmode(DEVICEMODE *devmode)
 {
 	if (devmode!=NULL) {
-		if (devmode->private!=NULL)
-			free(devmode->private);
-		free(devmode);
+		safe_free(devmode->private);
+		safe_free(devmode);
 	}
 }
 
-void free_printer_info_3(PRINTER_INFO_3 *printer)
+void free_printer_info_1(PRINTER_INFO_1 *printer)
+{
+	safe_free(printer);
+}
+
+void free_printer_info_2(PRINTER_INFO_2 *printer)
 {
 	if (printer!=NULL) {
+		free_devmode(printer->devmode);
+		printer->devmode = NULL;
 		if (printer->secdesc != NULL)
 			free_sec_desc(&printer->secdesc);
-		free(printer);
+		safe_free(printer);
 	}
 }
 
-void free_printer_info_2(PRINTER_INFO_2 *printer)
+void free_printer_info_3(PRINTER_INFO_3 *printer)
 {
 	if (printer!=NULL) {
-		free_devmode(printer->devmode);
-		printer->devmode = NULL;
 		if (printer->secdesc != NULL)
 			free_sec_desc(&printer->secdesc);
-		free(printer);
+		safe_free(printer);
+	}
+}
+
+void free_spool_printer_info_1(SPOOL_PRINTER_INFO_LEVEL_1 *printer)
+{
+	safe_free(printer);
+}
+
+void free_spool_printer_info_2(SPOOL_PRINTER_INFO_LEVEL_2 *printer)
+{
+	if (printer!=NULL) {
+		if (printer->secdesc != NULL)
+			free_sec_desc_buf(&printer->secdesc);
+		safe_free(printer);
+	}
+}
+
+void free_spool_printer_info_3(SPOOL_PRINTER_INFO_LEVEL_3 *printer)
+{
+	safe_free(printer);
+}
+
+void free_spool_printer_info_level(SPOOL_PRINTER_INFO_LEVEL *pil)
+{
+	if (pil == NULL)
+		return;
+
+	switch (pil->level) {
+		case 1:
+			free_spool_printer_info_1(pil->info_1);
+			break;
+		case 2:
+			free_spool_printer_info_2(pil->info_2);
+			break;
+		case 3:
+			free_spool_printer_info_3(pil->info_3);
+			break;
+		default:
+			break;
 	}
 }
 
@@ -4824,16 +4870,11 @@ PRINTER_INFO_2 *add_print2_to_array(uint32 *len, PRINTER_INFO_2 ***array,
 static PRINTER_INFO_1 *prt1_dup(const PRINTER_INFO_1* from)
 {
 	PRINTER_INFO_1 *copy = (PRINTER_INFO_1 *)malloc(sizeof(PRINTER_INFO_1));
-	if (copy != NULL)
-	{
+	if (copy != NULL) {
 		if (from != NULL)
-		{
 			memcpy(copy, from, sizeof(*copy));
-		}
 		else
-		{
 			ZERO_STRUCTP(copy);
-		}
 	}
 	return copy;
 }
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 327a4a15fe..393ba64130 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -473,7 +473,7 @@ static BOOL alloc_buffer_size(NEW_BUFFER *buffer, uint32 buffer_size)
 	uint32 extra_space;
 	uint32 old_offset;
 	
-	ps=&(buffer->prs);
+	ps= &buffer->prs;
 
 	/* damn, I'm doing the reverse operation of prs_grow() :) */
 	if (buffer_size < prs_data_size(ps))
@@ -2398,7 +2398,10 @@ static uint32 getprinter_level_2(fstring servername, int snum, NEW_BUFFER *buffe
 	}
 
 	/* fill the buffer with the structures */
-	new_smb_io_printer_info_2("", buffer, printer, 0);	
+	if (!new_smb_io_printer_info_2("", buffer, printer, 0)) {
+		free_printer_info_2(printer);
+		return ERROR_NOT_ENOUGH_MEMORY;
+	}
 	
 	/* clear memory */
 	free_printer_info_2(printer);
@@ -3002,7 +3005,6 @@ static uint32 update_printer(const POLICY_HND *handle, uint32 level,
 {
 	int snum;
 	NT_PRINTER_INFO_LEVEL *printer = NULL;
-	NT_DEVICEMODE *ntdevmode = NULL;
 	Printer_entry *Printer = find_printer_index_by_hnd(handle);
 	
 	DEBUG(8,("update_printer\n"));
@@ -3025,6 +3027,7 @@ static uint32 update_printer(const POLICY_HND *handle, uint32 level,
 	convert_printer_info(info, printer, level);
 	
 	if (info->info_2->devmode_ptr != 0) {
+		NT_DEVICEMODE *ntdevmode = NULL;
 		/* we have a valid devmode
 		   convert it and link it*/
 		
@@ -3036,6 +3039,7 @@ static uint32 update_printer(const POLICY_HND *handle, uint32 level,
 		}
 				
 		convert_devicemode(devmode, ntdevmode);
+		free_nt_devicemode(&ntdevmode);
 	} else {
 		if (printer->info_2->devmode != NULL)
 			free_nt_devicemode(&printer->info_2->devmode);
@@ -3097,6 +3101,7 @@ uint32 _spoolss_fcpn(const POLICY_HND *handle)
 	Printer->notify.localmachine[0]='\0';
 	Printer->notify.printerlocal=0;
 	safe_free(Printer->notify.option);
+	safe_free(Printer->notify.option->ctr.type);
 	Printer->notify.option=NULL;
 	
 	return NT_STATUS_NO_PROBLEMO;
-- 
cgit