[PATCH 1/5] spoolss: test unmarshalling formname with garbage after null

Mon Nov 14 09:59:42 MST 2011

OpenPrinterEx requests have been observed carrying a device mode
formname "A4" followed by non-utf16 garbage after the zero
terminator.

This test currently fails as the entire array is processed during
character conversion, including any garbage after the terminator.
---
 source4/torture/rpc/spoolss.c |   28 ++++++++++++++++++++++++++++
 1 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 3809136..d809e46 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -2250,6 +2250,13 @@ static bool test_PrinterInfo_DevModes(struct torture_context *tctx,
 	struct spoolss_DeviceMode *devmode2;
 	struct policy_handle handle_devmode;
 	struct dcerpc_binding_handle *b = p->binding_handle;
+	enum ndr_err_code ndr_ret;
+	DATA_BLOB devmode_blob;
+	uint8_t bogus_dm[] = {0x00, 0x41, 0x00, 0x34, 0x00, 0x00, 0x00, 0x53,
+			      0xD8, 0x22, 0x20, 0x06, 0x00, 0xFC, 0x00, 0x50,
+			      0x00, 0x22, 0x20, 0x06, 0x00, 0x1C, 0x00, 0x52,
+			      0x00, 0x22, 0x20, 0x06, 0x00, 0xCC, 0x00, 0x51};
+
 
 	/* simply compare level8 and level2 devmode */
 
@@ -2385,6 +2392,27 @@ static bool test_PrinterInfo_DevModes(struct torture_context *tctx,
 
 	test_ClosePrinter(tctx, b, &handle_devmode);
 
+	/* unmarshall a formname with garbage after the null terminator */
+	devmode->formname = talloc_strdup(tctx, "OVERWRITE");
+
+	ndr_ret = ndr_push_struct_blob(&devmode_blob, tctx, devmode,
+			(ndr_push_flags_fn_t)ndr_push_spoolss_DeviceMode);
+	torture_assert(tctx, (ndr_ret == NDR_ERR_SUCCESS),
+		       "failed to marshall devmode");
+
+	memcpy(devmode_blob.data + 101,	/* formname offset */
+	       bogus_dm,		/* "A4" + garbage after null term */
+	       ARRAY_SIZE(bogus_dm));
+
+	/* garbage following "A4" + null term should be ignored */
+	ndr_ret = ndr_pull_struct_blob(&devmode_blob, tctx, devmode,
+			(ndr_pull_flags_fn_t)ndr_pull_spoolss_DeviceMode);
+	torture_assert(tctx, (ndr_ret == NDR_ERR_SUCCESS),
+		       "failed to unmarshall devmode");
+
+	torture_assert(tctx, strequal(devmode->formname, "A4"),
+		       "formname does not match expected");
+
 	return true;
 }
 
-- 
1.7.1

