[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Jan 13 16:52:02 MST 2012
The branch, master has been updated
via b8a8870 idl: add to_null property
via 94f925c idl: add to_null attribute to the spoolss devicename array
via 0df5d06 idl: add to_null attribute to the spoolss formname array
via ee292bf ndr: add ndr_pull_charset_to_null()
via 6501b8b idl: add parser for the to_null property
via 2fd4be0 s4-smbtorture: tweak spoolss_OpenPrinterEx devmode
from afb8a7c s3: Fix the talloc hierarchy in fetch_share_mode_unlocked
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b8a8870d276950fa7992047f98181bc137d63066
Author: David Disseldorp <ddiss at suse.de>
Date: Fri Jan 13 13:51:22 2012 -0800
idl: add to_null property
to_null specifies that character conversion should only occur until the
null pointer in an array based string.
Signed-off-by: Jeremy Allison <jra at samba.org>
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Sat Jan 14 00:51:54 CET 2012 on sn-devel-104
commit 94f925c815586221da10dcc5fcbadf9fb04a98f4
Author: David Disseldorp <ddiss at samba.org>
Date: Wed Nov 23 02:03:48 2011 +0100
idl: add to_null attribute to the spoolss devicename array
OpenPrinterEx requests have also been observed in the wild carrying
non-utf16 garbage after the device mode devicename field null
terminator.
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 0df5d0608e8aaa7dce2866d0c2cc4c27c677d98d
Author: David Disseldorp <ddiss at suse.de>
Date: Sun Nov 13 20:40:56 2011 +0100
idl: add to_null attribute to the spoolss formname array
OpenPrinterEx requests have been observed in the wild carrying a device
mode formname "A4" followed by non-utf16 garbage after the null
terminator. Such requests currently fail during unmarshalling in the
ndr_pull_charset() codepath, causing intermittent print job failures.
This change ensures that garbage after the device mode formname null
terminator is not processed in unmarshalling.
https://bugzilla.samba.org/show_bug.cgi?id=8606
Signed-off-by: Jeremy Allison <jra at samba.org>
commit ee292bf5f342652b382a1926779f215f7f8bd806
Author: David Disseldorp <ddiss at suse.de>
Date: Sun Nov 13 20:01:43 2011 +0100
ndr: add ndr_pull_charset_to_null()
The same as ndr_pull_charset(), however only perform character
conversion on bytes prior to and including the null terminator.
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 6501b8bc6f6f7cd83f67c9766abc8231caf7fe54
Author: David Disseldorp <ddiss at suse.de>
Date: Sun Nov 13 20:39:58 2011 +0100
idl: add parser for the to_null property
Compile into a ndr_pull_charset_to_null call.
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 2fd4be0085332753ddbd59b2bc841da9a4d0cdce
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Nov 15 18:08:43 2011 +0100
s4-smbtorture: tweak spoolss_OpenPrinterEx devmode
Flip some bits after the null terminator in the spoolss device mode
character arrays to trigger bug 8606.
Signed-off-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/spoolss.idl | 4 +-
librpc/ndr/libndr.h | 1 +
librpc/ndr/ndr_string.c | 31 ++++++++++++++++++++++++++++++
pidl/lib/Parse/Pidl/NDR.pm | 9 +++++++-
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 ++++-
source4/torture/ndr/spoolss.c | 4 +-
6 files changed, 49 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl
index 4599e3a..d888a79 100644
--- a/librpc/idl/spoolss.idl
+++ b/librpc/idl/spoolss.idl
@@ -678,7 +678,7 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor")
const int MAXDEVICENAME = 32;
typedef [public,gensize] struct {
- [charset(UTF16)] uint16 devicename[MAXDEVICENAME];
+ [charset(UTF16),to_null] uint16 devicename[MAXDEVICENAME];
spoolss_DeviceModeSpecVersion specversion;
uint16 driverversion;
uint16 size;
@@ -697,7 +697,7 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor")
uint16 yresolution;
spoolss_DeviceModeTTOption ttoption;
spoolss_DeviceModeCollate collate;
- [charset(UTF16)] uint16 formname[MAXDEVICENAME];
+ [charset(UTF16),to_null] uint16 formname[MAXDEVICENAME];
uint16 logpixels; /* reserved */
uint32 bitsperpel; /* reserved */
uint32 pelswidth; /* reserved */
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index 9c26bef..162c109 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -598,6 +598,7 @@ size_t ndr_size_string_array(const char **a, uint32_t count, int flags);
uint32_t ndr_string_length(const void *_var, uint32_t element_size);
enum ndr_err_code ndr_check_string_terminator(struct ndr_pull *ndr, uint32_t count, uint32_t element_size);
enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags, const char **var, uint32_t length, uint8_t byte_mul, charset_t chset);
+enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int ndr_flags, const char **var, uint32_t length, uint8_t byte_mul, charset_t chset);
enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, const char *var, uint32_t length, uint8_t byte_mul, charset_t chset);
/* GUIDs */
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 840776f..94a18c3 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -603,6 +603,37 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags,
return NDR_ERR_SUCCESS;
}
+_PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int ndr_flags, const char **var, uint32_t length, uint8_t byte_mul, charset_t chset)
+{
+ size_t converted_size;
+ uint32_t str_len;
+
+ if (length == 0) {
+ *var = talloc_strdup(ndr->current_mem_ctx, "");
+ return NDR_ERR_SUCCESS;
+ }
+
+ if (NDR_BE(ndr) && chset == CH_UTF16) {
+ chset = CH_UTF16BE;
+ }
+
+ NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
+
+ str_len = ndr_string_length(ndr->data+ndr->offset, byte_mul);
+ str_len = MIN(str_len, length); /* overrun protection */
+ if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX,
+ ndr->data+ndr->offset, str_len*byte_mul,
+ discard_const_p(void *, var),
+ &converted_size))
+ {
+ return ndr_pull_error(ndr, NDR_ERR_CHARCNV,
+ "Bad character conversion");
+ }
+ NDR_CHECK(ndr_pull_advance(ndr, length*byte_mul));
+
+ return NDR_ERR_SUCCESS;
+}
+
_PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, const char *var, uint32_t length, uint8_t byte_mul, charset_t chset)
{
ssize_t required;
diff --git a/pidl/lib/Parse/Pidl/NDR.pm b/pidl/lib/Parse/Pidl/NDR.pm
index db776ae..ed7fdab 100644
--- a/pidl/lib/Parse/Pidl/NDR.pm
+++ b/pidl/lib/Parse/Pidl/NDR.pm
@@ -171,6 +171,7 @@ sub GetElementLevelTable($$$)
my $is_string = 0;
my $is_fixed = 0;
my $is_inline = 0;
+ my $is_to_null = 0;
if ($d eq "*") {
$is_conformant = 1;
@@ -208,6 +209,10 @@ sub GetElementLevelTable($$$)
delete($e->{PROPERTIES}->{string});
}
+ if (has_property($e, "to_null")) {
+ $is_to_null = 1;
+ }
+
push (@$order, {
TYPE => "ARRAY",
SIZE_IS => $size,
@@ -218,7 +223,8 @@ sub GetElementLevelTable($$$)
IS_VARYING => $is_varying,
IS_CONFORMANT => $is_conformant,
IS_FIXED => $is_fixed,
- IS_INLINE => $is_inline
+ IS_INLINE => $is_inline,
+ IS_TO_NULL => $is_to_null
});
}
@@ -1102,6 +1108,7 @@ my %property_list = (
"noheader" => ["ELEMENT"],
"charset" => ["ELEMENT"],
"length_is" => ["ELEMENT"],
+ "to_null" => ["ELEMENT"],
);
#####################################################################
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 6073ff8..16ed685 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1068,7 +1068,11 @@ sub ParseElementPullLevel
if ($l->{IS_ZERO_TERMINATED}) {
$self->CheckStringTerminator($ndr, $e, $l, $length);
}
- $self->pidl("NDR_CHECK(ndr_pull_charset($ndr, $ndr_flags, ".get_pointer_to($var_name).", $length, sizeof(" . mapTypeName($nl->{DATA_TYPE}) . "), CH_$e->{PROPERTIES}->{charset}));");
+ if ($l->{IS_TO_NULL}) {
+ $self->pidl("NDR_CHECK(ndr_pull_charset_to_null($ndr, $ndr_flags, ".get_pointer_to($var_name).", $length, sizeof(" . mapTypeName($nl->{DATA_TYPE}) . "), CH_$e->{PROPERTIES}->{charset}));");
+ } else {
+ $self->pidl("NDR_CHECK(ndr_pull_charset($ndr, $ndr_flags, ".get_pointer_to($var_name).", $length, sizeof(" . mapTypeName($nl->{DATA_TYPE}) . "), CH_$e->{PROPERTIES}->{charset}));");
+ }
return;
} elsif (has_fast_array($e, $l)) {
if ($l->{IS_ZERO_TERMINATED}) {
diff --git a/source4/torture/ndr/spoolss.c b/source4/torture/ndr/spoolss.c
index 9fb4300..0cb792a 100644
--- a/source4/torture/ndr/spoolss.c
+++ b/source4/torture/ndr/spoolss.c
@@ -58,7 +58,7 @@ static const uint8_t openprinterex_devmode_req_data[] = {
0x6e, 0x00, 0x2d, 0x00, 0x6d, 0x00, 0x75, 0x00, 0x63, 0x00, 0x5c, 0x00,
0x6b, 0x00, 0x79, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x65, 0x00, 0x72, 0x00,
0x61, 0x00, 0x2d, 0x00, 0x6d, 0x00, 0x75, 0x00, 0x63, 0x00, 0x2d, 0x00,
- 0x6e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00,
+ 0x6e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0xd8, 0x2a, 0x00, 0x00, 0x00,
0x76, 0x00, 0x6d, 0x00, 0x01, 0x04, 0x00, 0x06, 0xdc, 0x00, 0xa0, 0x06,
0x53, 0xff, 0x00, 0x02, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x64, 0x00, 0x02, 0x00, 0x0f, 0x00, 0xb0, 0x04, 0x01, 0x00, 0x01, 0x00,
@@ -66,7 +66,7 @@ static const uint8_t openprinterex_devmode_req_data[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x04, 0x00, 0x33, 0x00, 0xf3, 0x01, 0x08, 0x02, 0x08, 0x34, 0x00, 0x0c,
+ 0x04, 0x00, 0x33, 0x00, 0xf3, 0xd8, 0x08, 0x02, 0x08, 0x34, 0x00, 0x0c,
0x00, 0xf8, 0xfb, 0x0b, 0x08, 0x34, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
--
Samba Shared Repository
More information about the samba-cvs
mailing list