From 413ffe9adb8eea488133da0249dcb2eca08fd69d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 23 Apr 2010 02:34:43 +0200 Subject: s3-spoolss: fix some crash bugs and missing error codes in AddDriver paths. Found by torture test. Guenther --- source3/printing/nt_printing.c | 10 ++++++++-- source3/rpc_server/srv_spoolss_nt.c | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'source3') diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index a2d7e8c947..56f5d18691 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -1605,7 +1605,7 @@ static uint32 get_correct_cversion(struct pipes_struct *p, ****************************************************************************/ #define strip_driver_path(_mem_ctx, _element) do { \ - if ((_p = strrchr((_element), '\\')) != NULL) { \ + if (_element && ((_p = strrchr((_element), '\\')) != NULL)) { \ (_element) = talloc_asprintf((_mem_ctx), "%s", _p+1); \ W_ERROR_HAVE_NO_MEMORY((_element)); \ } \ @@ -1626,6 +1626,10 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx, WERROR err; char *_p; + if (!*driver_path || !*data_file || !*config_file) { + return WERR_INVALID_PARAM; + } + /* clean up the driver name. * we can get .\driver.dll * or worse c:\windows\system\driver.dll ! @@ -1635,7 +1639,9 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx, strip_driver_path(mem_ctx, *driver_path); strip_driver_path(mem_ctx, *data_file); strip_driver_path(mem_ctx, *config_file); - strip_driver_path(mem_ctx, *help_file); + if (help_file) { + strip_driver_path(mem_ctx, *help_file); + } if (dependent_files && dependent_files->string) { for (i=0; dependent_files->string[i]; i++) { diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index eec421f67a..72499d8ad0 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -7511,6 +7511,10 @@ WERROR _spoolss_AddPrinterDriverEx(pipes_struct *p, * i.e. only copy files that are newer than existing ones */ + if (r->in.flags == 0) { + return WERR_INVALID_PARAM; + } + if (r->in.flags != APD_COPY_NEW_FILES) { return WERR_ACCESS_DENIED; } -- cgit