package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch

   1 From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
   2 From: Jeremy Allison <jra@samba.org>
   3 Date: Tue, 2 Jan 2018 15:56:03 -0800
   4 Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
   5  pointer derefs.
   6
   7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
   8
   9 Signed-off-by: Jeremy Allison <jra@samba.org>
  10 ---
  11  source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
  12  1 file changed, 13 insertions(+)
  13
  14 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
  15 +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
  16 @@ -176,6 +176,11 @@ static void prune_printername_cache(void
  17  static const char *canon_servername(const char *servername)
  18  {
  19         const char *pservername = servername;
  20 +
  21 +       if (servername == NULL) {
  22 +               return "";
  23 +       }
  24 +
  25         while (*pservername == '\\') {
  26                 pservername++;
  27         }
  28 @@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
  29                 return WERR_ACCESS_DENIED;
  30         }
  31
  32 +       if (r->in.architecture == NULL || r->in.driver == NULL) {
  33 +               return WERR_INVALID_ENVIRONMENT;
  34 +       }
  35 +
  36         /* check that we have a valid driver name first */
  37
  38         if ((version = get_version_id(r->in.architecture)) == -1)
  39 @@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
  40                 return WERR_ACCESS_DENIED;
  41         }
  42
  43 +       if (r->in.architecture == NULL || r->in.driver == NULL) {
  44 +               return WERR_INVALID_ENVIRONMENT;
  45 +       }
  46 +
  47         /* check that we have a valid driver name first */
  48         if (get_version_id(r->in.architecture) == -1) {
  49                 /* this is what NT returns */