[Samba] string overflow in rpcclient add "printer" driver command

Emanuel Moura dos Santos emanuelsan at terra.com.br
Wed Jun 6 21:36:28 GMT 2007


I get the folowing error msg in rpcclient -c 'adddriver' command:

ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy [adddriver "Windows NT x86" "My Driver Name 001:aaa]
Printer Driver My Driver Name 001 successfully installed.

My command is like this:

rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c 'adddriver "Windows NT x86" "My Driver Name 001:  
      ..... bla bla bla ... bbbbbbb.022, ... bla bla bla ...

My system is RHEL 5, Samba version is 3.0.23c-2.el5.2.0.2.x86_64. The same error I found in Fedora 6 Samba
3.0.24-5. I try with 3.0.25a, but I get same error too.

The error, I think, is in source/rpcclient/rpcclient.c next_command function in pstrcpy() call.

I tried to fix changing the line definition in source/include/pstring.h for:

   #define PSTRING_LEN 2048   /*  was 1024 */

but I get compiler errors like:

nmbd/nmbd_incomingdgrams.o: In function `process_get_backup_list_request':
nmbd_incomingdgrams.c:(.text+0x7db): undefined reference to `__unsafe_string_function_usage_here_size_t__'

The registry in ntdrivers.tdb is not complete too:

# tdbdump /var/cache/samba/ntdrivers.tdb  | grep "My Driver Name"
key(36) = "DRIVERS/W32X86/3/My Driver Name 001\00"
data(406) = "\03\00\00\00My Driver Name 001\00Windows NT x86\00\5Cprint$\5CW32X86\5C3\5Caaaaaa.001\00 
                    ... bbbbbbb.02\00"

I found four printer drivers with many files components (and long "-c" command strings):

  HP LaserJet 2420 PS   (1027 bytes in -c)
  Canon S200            (1544 bytes in -c)
  Canon iP1200          (1782 bytes in -c)
  Canon PIXMA iP1000    (2014 bytes in -c)

Any ideas?

More information about the samba mailing list