From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Jan 2018 15:56:03 -0800 Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343 Signed-off-by: Jeremy Allison --- source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -176,6 +176,11 @@ static void prune_printername_cache(void static const char *canon_servername(const char *servername) { const char *pservername = servername; + + if (servername == NULL) { + return ""; + } + while (*pservername == '\\') { pservername++; } @@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru return WERR_ACCESS_DENIED; } + if (r->in.architecture == NULL || r->in.driver == NULL) { + return WERR_INVALID_ENVIRONMENT; + } + /* check that we have a valid driver name first */ if ((version = get_version_id(r->in.architecture)) == -1) @@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st return WERR_ACCESS_DENIED; } + if (r->in.architecture == NULL || r->in.driver == NULL) { + return WERR_INVALID_ENVIRONMENT; + } + /* check that we have a valid driver name first */ if (get_version_id(r->in.architecture) == -1) { /* this is what NT returns */