WPrintQGetInfo overflow behavior
nishihara
nishihara at silexamerica.com
Tue Feb 8 02:25:22 GMT 2005
Hello,
I think I found a bug in smbd/lanman.c.
Eventhough the buffer overruns at PACKS function, the error status
(desc->errcode) is ignored and overwritten at the end of
fill_printq_info_52 function.
[lanman.c / fill_printq_info_52 (575)]
for ( i=0; i<count && driver.info_3->dependentfiles &&
*driver.info_3->dependentfiles[i]; i++)
{
trim_string(driver.info_3->dependentfiles[i],"\\print$\\WIN40\\0\\", 0);
PACKS(desc,"z",driver.info_3->dependentfiles[i]); /* driver files to copy */
DEBUG(3,("Dependent File: %s:\n",driver.info_3->dependentfiles[i]));
}
/* sanity check */
if ( i != count )
DEBUG(3,("fill_printq_info_52: file count specified by client [%d] != number of dependent
files [%i]\n",count, i));
DEBUG(3,("fill_printq_info on <%s> gave %d entries\n", SERVICE(snum),i));
desc->errcode=NERR_Success;
goto done;
I think the following line have to be put just after the PAKCS
function in order to make it work when the overrun happens.
PACKS(desc,"z",driver.info_3->dependentfiles[i]); /* driver files to copy */
if (desc->errcode != 0) goto done; <<<<<<<<<<<<< ERROR CHECK!!
I found this when I was testing printer driver APW functionality for
Canon PIXSUS 560i. It works with Windows XP, but doesn't work with
Windows 98 SE, because of the reason I described above.
Best regards.
----
Kenta Nishihara
silex technology america, Inc.
E-mail: nishihara at silexamerica.com
[Phone] 801-747-0656 [Fax] 801-747-0659
More information about the samba-technical
mailing list