spoolss: clear DriverInfo on GetPrinterDriver2 error

In handling a spoolss GetPrinterDriver2 request, the handler may
return an immediate error if one of the input parameters is invalid.
If this is done without zeroing the pre-allocated @info pointer, then
marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index c71eb911097f84292dd434ed73395943cd7e5f22..9023ab672ff2ad8d3505705e49ac29b60adf34ff 100644 (file)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -5686,14 +5686,16 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
        /* that's an [in out] buffer */
 
        if (!r->in.buffer && (r->in.offered != 0)) {
-               return WERR_INVALID_PARAM;
+               result = WERR_INVALID_PARAM;
+               goto err_info_free;
        }
 
        DEBUG(4,("_spoolss_GetPrinterDriver2\n"));
 
        if (!(printer = find_printer_index_by_hnd(p, r->in.handle))) {
                DEBUG(0,("_spoolss_GetPrinterDriver2: invalid printer handle!\n"));
-               return WERR_INVALID_PRINTER_NAME;
+               result = WERR_INVALID_PRINTER_NAME;
+               goto err_info_free;
        }
 
        *r->out.needed = 0;
@@ -5701,7 +5703,8 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
        *r->out.server_minor_version = 0;
 
        if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
-               return WERR_BADFID;
+               result = WERR_BADFID;
+               goto err_info_free;
        }
 
        if (r->in.client_major_version == SPOOLSS_DRIVER_VERSION_2012) {
@@ -5718,8 +5721,7 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
                                                     r->in.architecture,
                                                     version);
        if (!W_ERROR_IS_OK(result)) {
-               TALLOC_FREE(r->out.info);
-               return result;
+               goto err_info_free;
        }
 
        *r->out.needed  = SPOOLSS_BUFFER_UNION(spoolss_DriverInfo,
@@ -5727,6 +5729,10 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
        r->out.info     = SPOOLSS_BUFFER_OK(r->out.info, NULL);
 
        return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_info_free:
+       TALLOC_FREE(r->out.info);
+       return result;
 }