From 9b1878e538a39b5459a74790b371ef5c098e0642 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 19 Jan 2011 13:49:51 +0100 Subject: s3-spoolss: disallow storing an invalid devmode size. Guenther --- source3/rpc_server/srv_spoolss_util.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3') diff --git a/source3/rpc_server/srv_spoolss_util.c b/source3/rpc_server/srv_spoolss_util.c index 89cdc2dc1f..a0f5a4cfc5 100644 --- a/source3/rpc_server/srv_spoolss_util.c +++ b/source3/rpc_server/srv_spoolss_util.c @@ -1773,6 +1773,12 @@ WERROR winreg_update_printer(TALLOC_CTX *mem_ctx, goto done; } } + + if (devmode->size != (ndr_size_spoolss_DeviceMode(devmode, 0) - devmode->__driverextra_length)) { + result = WERR_INVALID_PARAM; + goto done; + } + ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, devmode, (ndr_push_flags_fn_t) ndr_push_spoolss_DeviceMode); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- cgit