12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
- From: Jeremy Allison <jra@samba.org>
- Date: Tue, 2 Jan 2018 15:56:03 -0800
- Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
- pointer derefs.
- BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
- Signed-off-by: Jeremy Allison <jra@samba.org>
- ---
- source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
- --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
- +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
- @@ -176,6 +176,11 @@ static void prune_printername_cache(void
- static const char *canon_servername(const char *servername)
- {
- const char *pservername = servername;
- +
- + if (servername == NULL) {
- + return "";
- + }
- +
- while (*pservername == '\\') {
- pservername++;
- }
- @@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
- return WERR_ACCESS_DENIED;
- }
-
- + if (r->in.architecture == NULL || r->in.driver == NULL) {
- + return WERR_INVALID_ENVIRONMENT;
- + }
- +
- /* check that we have a valid driver name first */
-
- if ((version = get_version_id(r->in.architecture)) == -1)
- @@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
- return WERR_ACCESS_DENIED;
- }
-
- + if (r->in.architecture == NULL || r->in.driver == NULL) {
- + return WERR_INVALID_ENVIRONMENT;
- + }
- +
- /* check that we have a valid driver name first */
- if (get_version_id(r->in.architecture) == -1) {
- /* this is what NT returns */
|