aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2018-01-02 15:56:03 -0800
committerKarolin Seeger <kseeger@samba.org>2018-03-12 10:05:38 +0100
commit189d12940caffa66e6a11e226591bb2a20d4fa34 (patch)
treea586d06dacdbb734030c56576a6fd8682faf68aa
parent24df683b46b5e488c1a5e9f5ff8e4fd9126a53a6 (diff)
downloadsamba-189d12940caffa66e6a11e226591bb2a20d4fa34.tar.gz
samba-189d12940caffa66e6a11e226591bb2a20d4fa34.tar.xz
samba-189d12940caffa66e6a11e226591bb2a20d4fa34.zip
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343 Signed-off-by: Jeremy Allison <jra@samba.org>
-rw-r--r--source3/rpc_server/spoolss/srv_spoolss_nt.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index a9e778ee023..ef147e970e6 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -182,6 +182,11 @@ static void prune_printername_cache(void);
static const char *canon_servername(const char *servername)
{
const char *pservername = servername;
+
+ if (servername == NULL) {
+ return "";
+ }
+
while (*pservername == '\\') {
pservername++;
}
@@ -2082,6 +2087,10 @@ WERROR _spoolss_DeletePrinterDriver(struct pipes_struct *p,
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if ((version = get_version_id(r->in.architecture)) == -1) {
@@ -2221,6 +2230,10 @@ WERROR _spoolss_DeletePrinterDriverEx(struct pipes_struct *p,
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if (get_version_id(r->in.architecture) == -1) {
/* this is what NT returns */