[Samba] string overflow in rpcclient add "printer" driver command
Jeremy Allison
jra at samba.org
Thu Jun 7 00:33:19 GMT 2007
On Wed, Jun 06, 2007 at 06:36:28PM -0300, Emanuel Moura dos Santos wrote:
> Hello,
>
> I get the folowing error msg in rpcclient -c 'adddriver' command:
>
> ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy [adddriver "Windows NT x86" "My Driver Name 001:aaa]
> Printer Driver My Driver Name 001 successfully installed.
>
> My command is like this:
>
> rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c 'adddriver "Windows NT x86" "My Driver Name 001:
> aaaaaa.001:aaaaaa.002:aaaaaa.003:aaaaaa.004::NULL:aaaaaa.001,
> ..... bla bla bla ... bbbbbbb.022, ... bla bla bla ...
> aaaaaaa.077,ccccccc.078"'
>
> My system is RHEL 5, Samba version is 3.0.23c-2.el5.2.0.2.x86_64. The same error I found in Fedora 6 Samba
> 3.0.24-5. I try with 3.0.25a, but I get same error too.
>
> The error, I think, is in source/rpcclient/rpcclient.c next_command function in pstrcpy() call.
Good catch. Can you try this patch instead ? Let me know if it works and
I'll check it in.
Thanks,
Jeremy.
-------------- next part --------------
Index: rpcclient/rpcclient.c
===================================================================
--- rpcclient/rpcclient.c (revision 23369)
+++ rpcclient/rpcclient.c (working copy)
@@ -107,9 +107,9 @@
return matches;
}
-static char* next_command (char** cmdstr)
+static char *next_command (char **cmdstr)
{
- static pstring command;
+ char *command;
char *p;
if (!cmdstr || !(*cmdstr))
@@ -118,7 +118,7 @@
p = strchr_m(*cmdstr, ';');
if (p)
*p = '\0';
- pstrcpy(command, *cmdstr);
+ command = SMB_STRDUP(*cmdstr);
if (p)
*cmdstr = p + 1;
else
@@ -828,6 +828,7 @@
while((cmd=next_command(&p)) != NULL) {
NTSTATUS cmd_result = process_cmd(cli, cmd);
+ SAFE_FREE(cmd);
result = NT_STATUS_IS_ERR(cmd_result);
}
More information about the samba
mailing list