Buffer Overflow

rberghmans at arafox.com rberghmans at arafox.com
Fri Jun 6 11:36:26 GMT 2003 

Hi,

When I try to add printer driver via "server properties" of Windows, everything 
on the box is inactive. And in the log file I find this :

[2003/06/06 12:37:40, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457)
  api_rpcTNP: spoolss op 0xa - api_rpcTNP: rpc command: 
SPOOLSS_ENUMPRINTERDRIVERS
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 spoolss_io_q_enumprinterdrivers
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0000 name_ptr: 00089330
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0004 uni_max_len: 00000009
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0008 undoc      : 00000000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          000c uni_str_len: 00000009
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
          0010 buffer     : \.\.A.r.a.f.o.x...
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0024 environment_ptr: 00089354
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0028 uni_max_len: 0000000f
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          002c undoc      : 00000000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0030 uni_str_len: 0000000f
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
          0034 buffer     : W.i.n.d.o.w.s. .N.T. .x.8.6...
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0054 level: 00000003
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0058 ptr: 00089380
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          005c size: 00000400
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0460 offered: 00000400
[2003/06/06 12:37:40, 4] rpc_server/srv_spoolss_nt.c:_spoolss_enumprinterdrivers
(6833)
  _spoolss_enumprinterdrivers
  we have:[0] drivers in environment [Windows NT x86] and version [0]
  we have:[0] drivers in environment [Windows NT x86] and version [1]
  we have:[0] drivers in environment [Windows NT x86] and version [2]
  we have:[0] drivers in environment [Windows NT x86] and version [3]
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_debug(81)
 000000 spoolss_io_r_enumprinterdrivers
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0000 ptr: 00089380
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0004 size: 00000400
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0408 needed: 00000000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      040c returned: 00000000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_werror(694)
      0410 status: WERR_OK
[2003/06/06 12:37:40, 5] rpc_server/srv_pipe.c:api_rpcTNP(1504)
  api_rpcTNP: called spoolss successfully
[2003/06/06 12:37:40, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
  free_pipe_context: destroying talloc pool of size 100
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 smb_io_rpc_hdr hdr
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0000 major     : 05
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0001 minor     : 00
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0002 pkt_type  : 02
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0003 flags     : 03
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0004 pack_type0: 10
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0005 pack_type1: 00
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0006 pack_type2: 00
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0007 pack_type3: 00
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint16(605)
      0008 frag_len  : 042c
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint16(605)
      000a auth_len  : 0000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      000c call_id   : 00000001
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000010 smb_io_rpc_hdr_resp resp
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0010 alloc_hint: 00000414
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint16(605)
      0014 context_id: 0000
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0016 cancel_ct : 00
[2003/06/06 12:37:40, 5] rpc_parse/parse_prs.c:prs_uint8(576)
      0017 reserved  : 00
[2003/06/06 12:37:40, 5] smbd/ipc.c:send_trans_reply(91)
  send_trans_reply: buffer 1024 too large
[2003/06/06 12:37:40, 3] smbd/error.c:error_packet(113)
  error packet at smbd/ipc.c(99) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW
[2003/06/06 12:37:40, 5] smbd/ipc.c:copy_trans_params_and_data(62)


Ragards,

Thank you for your help,

Raphaël

More information about the samba-technical mailing list