WPrintQGetInfo overflow behavior

[nishihara]

Hello,

I think I found a bug in smbd/lanman.c.
Eventhough the buffer overruns at PACKS function, the error status
(desc->errcode) is ignored and overwritten at the end of
fill_printq_info_52 function.


[lanman.c / fill_printq_info_52 (575)]
    for ( i=0; i<count && driver.info_3->dependentfiles &&
        *driver.info_3->dependentfiles[i]; i++)
    { 
        trim_string(driver.info_3->dependentfiles[i],"\\print$\\WIN40\\0\\", 0);
        PACKS(desc,"z",driver.info_3->dependentfiles[i]);         /* driver files to copy */
        DEBUG(3,("Dependent File: %s:\n",driver.info_3->dependentfiles[i]));
    }
    /* sanity check */
    if ( i != count )
        DEBUG(3,("fill_printq_info_52: file count specified by client [%d] != number of dependent
        files [%i]\n",count, i));

     DEBUG(3,("fill_printq_info on <%s> gave %d entries\n", SERVICE(snum),i));
     desc->errcode=NERR_Success;
     goto done;


I think the following line have to be put just after the PAKCS
function in order to make it work when the overrun happens.


        PACKS(desc,"z",driver.info_3->dependentfiles[i]);         /* driver files to copy */
        if (desc->errcode != 0) goto done; <<<<<<<<<<<<< ERROR CHECK!!


I found this when I was testing printer driver APW functionality for
Canon PIXSUS 560i. It works with Windows XP, but doesn't work with
Windows 98 SE, because of the reason I described above.

Best regards.
----
Kenta Nishihara
silex technology america, Inc.
E-mail: nishihara at silexamerica.com
[Phone] 801-747-0656  [Fax] 801-747-0659