You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.4 KiB
Diff
50 lines
1.4 KiB
Diff
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Allison <jra@samba.org>
|
|
Date: Tue, 2 Jan 2018 15:56:03 -0800
|
|
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
|
|
pointer derefs.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
|
|
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
---
|
|
source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
@@ -176,6 +176,11 @@ static void prune_printername_cache(void
|
|
static const char *canon_servername(const char *servername)
|
|
{
|
|
const char *pservername = servername;
|
|
+
|
|
+ if (servername == NULL) {
|
|
+ return "";
|
|
+ }
|
|
+
|
|
while (*pservername == '\\') {
|
|
pservername++;
|
|
}
|
|
@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
|
|
return WERR_ACCESS_DENIED;
|
|
}
|
|
|
|
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
|
|
+ return WERR_INVALID_ENVIRONMENT;
|
|
+ }
|
|
+
|
|
/* check that we have a valid driver name first */
|
|
|
|
if ((version = get_version_id(r->in.architecture)) == -1)
|
|
@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
|
|
return WERR_ACCESS_DENIED;
|
|
}
|
|
|
|
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
|
|
+ return WERR_INVALID_ENVIRONMENT;
|
|
+ }
|
|
+
|
|
/* check that we have a valid driver name first */
|
|
if (get_version_id(r->in.architecture) == -1) {
|
|
/* this is what NT returns */
|