BUG in enumprinterdataex

Martin irezumi at gmx.de
Sat Feb 3 08:28:43 GMT 2007 

Jeremy Allison wrote:
> On Fri, Feb 02, 2007 at 10:34:34AM +0100, Martin Zielinski wrote:
>> Hello,
>>
>> i can observe the following situation on XP SP2 vs. Samba 3.0.23d:
>>
>> 1) XP does an EnumPrinterDataEx call with 0 bytes provided to Samba
>> 2) Samba counts the space needed and returns a *not 4-byte aligned* 
>> amount of space (I can see it on the wire - e.g. 1642)
>> 3) XP returns a 4-byte aligned value in the EnumPrinterDataEx - call.
>> In the above case: 1644
>> 4) The routine allocates 1644 bytes, does the call again and receives a
>> 	RPC_X_BAD_STUB_DATA (0x6f7 = 1783) error.
>>   Weird thing while debugging: I see the provided key name corrupted.
>>
>> The reason for this seems to be the returned buffer size in the RPC 
>> response.
>> The attached diff fixes this for the enumprinterdataex call.
> 
> Ok, I'm going to commit this one - makes sense to me. A problem
> with hand marshalling I think.
> 
>> P.S. I'm really not shure - but haven't we had this one before?
> 
> Not sure - this code will eventually greatly benefit from
> being PIDL generated. Please keep these fixes coming :-).
> 
>> --- orig/srv_spoolss_nt.c	2007-02-02 10:27:15.000000000 +0100
>> +++ work/srv_spoolss_nt.c	2007-02-02 10:28:03.000000000 +0100
>> @@ -9389,6 +9389,8 @@
>>  	/* copy data into the reply */
>>  	
>>  	r_u->ctr.size        	= r_u->needed;
>> +	if (needed % 4)
>> +		r_u->ctr.size += 4-(needed % 4);
>>  	r_u->ctr.size_of_array 	= r_u->returned;
>>  	r_u->ctr.values 	= enum_values;
>>  	
> 
> Thanks !
> 
> Jeremy.
> 
Hi!
I certainly trapped vista again.
The proposed fix works with XP but not with Vista.
Easy to compare: Samba returns a buffer size of 1642 bytes.
-> XP offers a buffer of 1644 bytes.
-> Vista 1642 bytes.

If we only align the buffer size (as in the proposed patch), we earn a 
1783 error. It seems that the buffer size in the RPC *must* match the 
"needed" size in the message itself.

So the better fix would be to align the "needed" var before the test
against the input size.

Martin

More information about the samba-technical mailing list