From 89869e090c56a3f83b451b437f9c3f40a231dd24 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@samba.org>
Date: Thu, 4 Dec 2014 20:03:39 +0100
Subject: [PATCH] spoolss: clear JobInfo on GetJob error

In handling a spoolss GetJob request, the _spoolss_GetJob() handler may
return an immediate error if one of the input parameters is invalid. If
this is done without zeroing the pre-allocated @info pointer, then
api_spoolss_GetJob() will attempt to marshall @info, which in the case
of an @offered value of zero results in a marshalling error:

ndr_push_error(7): Bad subcontext (PUSH) content_size 64 is larger
than size_is(0)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/rpc_server/spoolss/srv_spoolss_nt.c | 28 +++++++++++++--------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 1226ec1bcbc..c71eb911097 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -9484,7 +9484,8 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
 	/* that's an [in out] buffer */
 
 	if (!r->in.buffer && (r->in.offered != 0)) {
-		return WERR_INVALID_PARAM;
+		result = WERR_INVALID_PARAM;
+		goto err_jinfo_free;
 	}
 
 	DEBUG(5,("_spoolss_GetJob\n"));
@@ -9492,12 +9493,14 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
 	*r->out.needed = 0;
 
 	if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
-		return WERR_BADFID;
+		result = WERR_BADFID;
+		goto err_jinfo_free;
 	}
 
 	svc_name = lp_const_servicename(snum);
 	if (svc_name == NULL) {
-		return WERR_INVALID_PARAM;
+		result = WERR_INVALID_PARAM;
+		goto err_jinfo_free;
 	}
 
 	result = winreg_get_printer_internal(p->mem_ctx,
@@ -9506,22 +9509,22 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
 				    svc_name,
 				    &pinfo2);
 	if (!W_ERROR_IS_OK(result)) {
-		return result;
+		goto err_jinfo_free;
 	}
 
 	pdb = get_print_db_byname(svc_name);
 	if (pdb == NULL) {
 		DEBUG(3, ("failed to get print db for svc %s\n", svc_name));
-		TALLOC_FREE(pinfo2);
-		return WERR_INVALID_PARAM;
+		result = WERR_INVALID_PARAM;
+		goto err_pinfo_free;
 	}
 
 	sysjob = jobid_to_sysjob_pdb(pdb, r->in.job_id);
 	release_print_db(pdb);
 	if (sysjob == -1) {
 		DEBUG(3, ("no sysjob for spoolss jobid %u\n", r->in.job_id));
-		TALLOC_FREE(pinfo2);
-		return WERR_INVALID_PARAM;
+		result = WERR_INVALID_PARAM;
+		goto err_pinfo_free;
 	}
 
 	count = print_queue_status(p->msg_ctx, snum, &queue, &prt_status);
@@ -9551,8 +9554,7 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
 	TALLOC_FREE(pinfo2);
 
 	if (!W_ERROR_IS_OK(result)) {
-		TALLOC_FREE(r->out.info);
-		return result;
+		goto err_jinfo_free;
 	}
 
 	*r->out.needed	= SPOOLSS_BUFFER_UNION(spoolss_JobInfo, r->out.info,
@@ -9560,6 +9562,12 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
 	r->out.info	= SPOOLSS_BUFFER_OK(r->out.info, NULL);
 
 	return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_pinfo_free:
+	TALLOC_FREE(pinfo2);
+err_jinfo_free:
+	TALLOC_FREE(r->out.info);
+	return result;
 }
 
 /****************************************************************
-- 
2.34.1