The branch, master has been updated
via 6c4570d torture/spoolss: issue GetJob after StartDocPrinter
via a11e97b spoolss: clear PrinterInfo on GetPrinter error
via c9fccb5 spoolss: clear info on GetPrinterDriverDirectory error
via 679c781 spoolss: clear info on GetPrintProcessorDirectory error
via b113ed6 spoolss: clear FormInfo on GetForm error
via fb9ecb04 spoolss: clear DriverInfo on GetPrinterDriver2 error
via 89869e0 spoolss: clear JobInfo on GetJob error
from 8dd3732 s4:kdc: add aes key support for trusted domains
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6c4570d9c72569b8301ad5b0be6530ab1ef0f439
Author: David Disseldorp <[email protected]>
Date: Wed Dec 3 18:44:37 2014 +0100
torture/spoolss: issue GetJob after StartDocPrinter
This reflects Windows XP spoolss client behaviour. This fails if the job
is not yet instantiated on the server, and prior to the bso#10984 fix
resulted in an unsable DCERPC pipe.
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Fri Dec 19 18:03:20 CET 2014 on sn-devel-104
commit a11e97b79645ff0d9e7d20f5318a979194a858fe
Author: David Disseldorp <[email protected]>
Date: Wed Dec 17 16:54:42 2014 +0100
spoolss: clear PrinterInfo on GetPrinter error
If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit c9fccb5018f9a19bb654b9ad79aa716e37a274d6
Author: David Disseldorp <[email protected]>
Date: Wed Dec 17 16:47:50 2014 +0100
spoolss: clear info on GetPrinterDriverDirectory error
If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 679c781112ce6b7cffca11c28e58ae5f9a0d717d
Author: David Disseldorp <[email protected]>
Date: Wed Dec 17 15:54:22 2014 +0100
spoolss: clear info on GetPrintProcessorDirectory error
If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit b113ed6043622cdec68f3a70631b363594f3a8d0
Author: David Disseldorp <[email protected]>
Date: Wed Dec 17 15:29:52 2014 +0100
spoolss: clear FormInfo on GetForm error
In handling a spoolss GetForm request, the handler may return an
immediate error if one of the input parameters is invalid. If this is
done without zeroing the pre-allocated @info pointer, then marshalling
of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit fb9ecb044ee986ab3496da6cbad162a224378475
Author: David Disseldorp <[email protected]>
Date: Wed Dec 17 15:21:33 2014 +0100
spoolss: clear DriverInfo on GetPrinterDriver2 error
In handling a spoolss GetPrinterDriver2 request, the handler may
return an immediate error if one of the input parameters is invalid.
If this is done without zeroing the pre-allocated @info pointer, then
marshalling of the response will fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 89869e090c56a3f83b451b437f9c3f40a231dd24
Author: David Disseldorp <[email protected]>
Date: Thu Dec 4 20:03:39 2014 +0100
spoolss: clear JobInfo on GetJob error
In handling a spoolss GetJob request, the _spoolss_GetJob() handler may
return an immediate error if one of the input parameters is invalid. If
this is done without zeroing the pre-allocated @info pointer, then
api_spoolss_GetJob() will attempt to marshall @info, which in the case
of an @offered value of zero results in a marshalling error:
ndr_push_error(7): Bad subcontext (PUSH) content_size 64 is larger
than size_is(0)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_server/spoolss/srv_spoolss_nt.c | 78 +++++++++++++++++++----------
source4/torture/rpc/spoolss.c | 8 +++
2 files changed, 60 insertions(+), 26 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c
b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 1226ec1..115af2d 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -4778,17 +4778,20 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_info_free;
}
*r->out.needed = 0;
if (Printer == NULL) {
- return WERR_BADFID;
+ result = WERR_BADFID;
+ goto err_info_free;
}
if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
- return WERR_BADFID;
+ result = WERR_BADFID;
+ goto err_info_free;
}
result = winreg_get_printer_internal(p->mem_ctx,
@@ -4797,7 +4800,7 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
lp_const_servicename(snum),
&info2);
if (!W_ERROR_IS_OK(result)) {
- goto out;
+ goto err_info_free;
}
switch (r->in.level) {
@@ -4857,12 +4860,10 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
}
TALLOC_FREE(info2);
- out:
if (!W_ERROR_IS_OK(result)) {
DEBUG(0, ("_spoolss_GetPrinter: failed to construct printer
info level %d - %s\n",
r->in.level, win_errstr(result)));
- TALLOC_FREE(r->out.info);
- return result;
+ goto err_info_free;
}
*r->out.needed = SPOOLSS_BUFFER_UNION(spoolss_PrinterInfo,
@@ -4870,6 +4871,10 @@ WERROR _spoolss_GetPrinter(struct pipes_struct *p,
r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL);
return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_info_free:
+ TALLOC_FREE(r->out.info);
+ return result;
}
/********************************************************************
@@ -5686,14 +5691,16 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct
*p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_info_free;
}
DEBUG(4,("_spoolss_GetPrinterDriver2\n"));
if (!(printer = find_printer_index_by_hnd(p, r->in.handle))) {
DEBUG(0,("_spoolss_GetPrinterDriver2: invalid printer
handle!\n"));
- return WERR_INVALID_PRINTER_NAME;
+ result = WERR_INVALID_PRINTER_NAME;
+ goto err_info_free;
}
*r->out.needed = 0;
@@ -5701,7 +5708,8 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
*r->out.server_minor_version = 0;
if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
- return WERR_BADFID;
+ result = WERR_BADFID;
+ goto err_info_free;
}
if (r->in.client_major_version == SPOOLSS_DRIVER_VERSION_2012) {
@@ -5718,8 +5726,7 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
r->in.architecture,
version);
if (!W_ERROR_IS_OK(result)) {
- TALLOC_FREE(r->out.info);
- return result;
+ goto err_info_free;
}
*r->out.needed = SPOOLSS_BUFFER_UNION(spoolss_DriverInfo,
@@ -5727,6 +5734,10 @@ WERROR _spoolss_GetPrinterDriver2(struct pipes_struct *p,
r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL);
return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_info_free:
+ TALLOC_FREE(r->out.info);
+ return result;
}
@@ -7847,6 +7858,7 @@ WERROR _spoolss_GetForm(struct pipes_struct *p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
+ TALLOC_FREE(r->out.info);
return WERR_INVALID_PARAM;
}
@@ -8537,6 +8549,7 @@ WERROR _spoolss_GetPrinterDriverDirectory(struct
pipes_struct *p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
+ TALLOC_FREE(r->out.info);
return WERR_INVALID_PARAM;
}
@@ -9484,7 +9497,8 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_jinfo_free;
}
DEBUG(5,("_spoolss_GetJob\n"));
@@ -9492,12 +9506,14 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
*r->out.needed = 0;
if (!get_printer_snum(p, r->in.handle, &snum, NULL)) {
- return WERR_BADFID;
+ result = WERR_BADFID;
+ goto err_jinfo_free;
}
svc_name = lp_const_servicename(snum);
if (svc_name == NULL) {
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_jinfo_free;
}
result = winreg_get_printer_internal(p->mem_ctx,
@@ -9506,22 +9522,22 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
svc_name,
&pinfo2);
if (!W_ERROR_IS_OK(result)) {
- return result;
+ goto err_jinfo_free;
}
pdb = get_print_db_byname(svc_name);
if (pdb == NULL) {
DEBUG(3, ("failed to get print db for svc %s\n", svc_name));
- TALLOC_FREE(pinfo2);
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_pinfo_free;
}
sysjob = jobid_to_sysjob_pdb(pdb, r->in.job_id);
release_print_db(pdb);
if (sysjob == -1) {
DEBUG(3, ("no sysjob for spoolss jobid %u\n", r->in.job_id));
- TALLOC_FREE(pinfo2);
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_pinfo_free;
}
count = print_queue_status(p->msg_ctx, snum, &queue, &prt_status);
@@ -9551,8 +9567,7 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
TALLOC_FREE(pinfo2);
if (!W_ERROR_IS_OK(result)) {
- TALLOC_FREE(r->out.info);
- return result;
+ goto err_jinfo_free;
}
*r->out.needed = SPOOLSS_BUFFER_UNION(spoolss_JobInfo, r->out.info,
@@ -9560,6 +9575,12 @@ WERROR _spoolss_GetJob(struct pipes_struct *p,
r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL);
return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_pinfo_free:
+ TALLOC_FREE(pinfo2);
+err_jinfo_free:
+ TALLOC_FREE(r->out.info);
+ return result;
}
/****************************************************************
@@ -10131,7 +10152,8 @@ WERROR _spoolss_GetPrintProcessorDirectory(struct
pipes_struct *p,
/* that's an [in out] buffer */
if (!r->in.buffer && (r->in.offered != 0)) {
- return WERR_INVALID_PARAM;
+ result = WERR_INVALID_PARAM;
+ goto err_info_free;
}
DEBUG(5,("_spoolss_GetPrintProcessorDirectory: level %d\n",
@@ -10147,7 +10169,8 @@ WERROR _spoolss_GetPrintProcessorDirectory(struct
pipes_struct *p,
snum = find_service(talloc_tos(), "prnproc$", &prnproc_share);
if (!prnproc_share) {
- return WERR_NOMEM;
+ result = WERR_NOMEM;
+ goto err_info_free;
}
if (snum != -1) {
prnproc_share_exists = true;
@@ -10158,8 +10181,7 @@ WERROR _spoolss_GetPrintProcessorDirectory(struct
pipes_struct *p,
r->in.environment,
&r->out.info->info1);
if (!W_ERROR_IS_OK(result)) {
- TALLOC_FREE(r->out.info);
- return result;
+ goto err_info_free;
}
*r->out.needed =
SPOOLSS_BUFFER_UNION(spoolss_PrintProcessorDirectoryInfo,
@@ -10167,6 +10189,10 @@ WERROR _spoolss_GetPrintProcessorDirectory(struct
pipes_struct *p,
r->out.info = SPOOLSS_BUFFER_OK(r->out.info, NULL);
return SPOOLSS_BUFFER_OK(WERR_OK, WERR_INSUFFICIENT_BUFFER);
+
+err_info_free:
+ TALLOC_FREE(r->out.info);
+ return result;
}
/*******************************************************************
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 20e86fc..23f501d 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -3446,6 +3446,9 @@ static bool test_DoPrintTest_add_one_job_common(struct
torture_context *tctx,
torture_assert_werr_ok(tctx, s.out.result, "StartDocPrinter failed");
for (i=1; i < 4; i++) {
+ union spoolss_JobInfo ginfo;
+ bool ok;
+
torture_comment(tctx, "Testing StartPagePrinter: Page[%d],
JobId[%d]\n", i, *job_id);
sp.in.handle = handle;
@@ -3455,6 +3458,11 @@ static bool test_DoPrintTest_add_one_job_common(struct
torture_context *tctx,
"dcerpc_spoolss_StartPagePrinter
failed");
torture_assert_werr_ok(tctx, sp.out.result, "StartPagePrinter
failed");
+ ok = test_GetJob_args(tctx, b, handle, *job_id, 1, &ginfo);
+ if (!ok) {
+ torture_comment(tctx, "test_GetJob failed for
JobId[%d]\n", *job_id);
+ }
+
torture_comment(tctx, "Testing WritePrinter: Page[%d],
JobId[%d]\n", i, *job_id);
w.in.handle = handle;
--
Samba Shared Repository
