git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 50e7788)
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
authorJeremy Allison <jra@samba.org>
Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)
committerStefan Metzmacher <metze@samba.org>
Tue, 13 Mar 2018 15:06:10 +0000 (16:06 +0100)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144

source3/rpc_server/spoolss/srv_spoolss_nt.c patch | blob | history

diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index e54636835988a842829f3136fb385aaf6b751b1f..c9ea400e0a84f408166e8a79f3f41e8ee55fd725 100644 (file)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -142,6 +142,11 @@ static void prune_printername_cache(void);
 static const char *canon_servername(const char *servername)
 {
        const char *pservername = servername;
+
+       if (servername == NULL) {
+               return "";
+       }
+
        while (*pservername == '\\') {
                pservername++;
        }
@@ -2041,6 +2046,10 @@ WERROR _spoolss_DeletePrinterDriver(struct pipes_struct *p,
                return WERR_ACCESS_DENIED;
        }
 
+       if (r->in.architecture == NULL || r->in.driver == NULL) {
+               return WERR_INVALID_ENVIRONMENT;
+       }
+
        /* check that we have a valid driver name first */
 
        if ((version = get_version_id(r->in.architecture)) == -1) {
@@ -2180,6 +2189,10 @@ WERROR _spoolss_DeletePrinterDriverEx(struct pipes_struct *p,
                return WERR_ACCESS_DENIED;
        }
 
+       if (r->in.architecture == NULL || r->in.driver == NULL) {
+               return WERR_INVALID_ENVIRONMENT;
+       }
+
        /* check that we have a valid driver name first */
        if (get_version_id(r->in.architecture) == -1) {
                /* this is what NT returns */
Work in progress branches