From 04fe774537d5c87a7ee77fc69a86d66efdb19a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 11 Nov 2016 16:29:20 +0100 Subject: [PATCH 1/2] spoolss: Use correct values for secdesc and devmode pointers ULONG_PTR needs to be decoded as a uint3264 and not as a 'uint32 *'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11197 Guenther Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 73f664710a8c9b312a54d0cf41d2f4440c8b42eb) --- librpc/idl/spoolss.idl | 20 ++++++++++---------- source3/rpc_client/init_spoolss.c | 4 ++-- source3/rpcclient/cmd_spoolss.c | 4 ++-- source4/torture/rpc/spoolss.c | 12 ++++++------ source4/torture/rpc/spoolss_notify.c | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl index 5bbc267..d17fcf4 100644 --- a/librpc/idl/spoolss.idl +++ b/librpc/idl/spoolss.idl @@ -1011,9 +1011,9 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") [string,charset(UTF16)] uint16 *print_processor; [string,charset(UTF16)] uint16 *parameters; [string,charset(UTF16)] uint16 *driver_name; - uint32 *_devmode_ptr; /* pointer to truncated devicemode */ + uint3264 _devmode_ptr; /* ULONG_PTR */ [string,charset(UTF16)] uint16 *text_status; - uint32 *_secdesc_ptr; + uint3264 _secdesc_ptr; /* ULONG_PTR */ spoolss_JobStatus status; [range(0,99)] uint32 priority; uint32 position; @@ -1037,9 +1037,9 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") [string,charset(UTF16)] uint16 *print_processor; [string,charset(UTF16)] uint16 *parameters; [string,charset(UTF16)] uint16 *driver_name; - uint32 *_devmode_ptr; /* pointer to truncated devicemode */ + uint3264 _devmode_ptr; /* ULONG_PTR */ [string,charset(UTF16)] uint16 *text_status; - uint32 *_secdesc_ptr; + uint3264 _secdesc_ptr; /* ULONG_PTR */ spoolss_JobStatus status; [range(0,99)] uint32 priority; uint32 position; @@ -1201,12 +1201,12 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") [string,charset(UTF16)] uint16 *drivername; [string,charset(UTF16)] uint16 *comment; [string,charset(UTF16)] uint16 *location; - uint32 *devmode_ptr; + uint3264 devmode_ptr; /* ULONG_PTR */ [string,charset(UTF16)] uint16 *sepfile; [string,charset(UTF16)] uint16 *printprocessor; [string,charset(UTF16)] uint16 *datatype; [string,charset(UTF16)] uint16 *parameters; - uint32 *secdesc_ptr; + uint3264 secdesc_ptr; /* ULONG_PTR */ spoolss_PrinterAttributes attributes; [range(0,99)] uint32 priority; uint32 defaultpriority; @@ -1218,7 +1218,7 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") } spoolss_SetPrinterInfo2; typedef struct { - uint32 *sec_desc_ptr; + uint3264 sec_desc_ptr; /* ULONG_PTR */ } spoolss_SetPrinterInfo3; typedef struct { @@ -1245,11 +1245,11 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") } spoolss_SetPrinterInfo7; typedef struct { - uint32 *devmode_ptr; + uint3264 devmode_ptr; /* ULONG_PTR */ } spoolss_SetPrinterInfo8; typedef struct { - uint32 *devmode_ptr; + uint3264 devmode_ptr; /* ULONG_PTR */ } spoolss_SetPrinterInfo9; typedef [ms_union,switch_type(uint32)] union { @@ -2307,7 +2307,7 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") /* Function: 0x27 */ WERROR spoolss_DeletePort( [in,unique] [string,charset(UTF16)] uint16 *server_name, - [in] uint32 ptr, + [in] uint3264 ptr, /* ULONG_PTR */ [in,ref] [string,charset(UTF16)] uint16 *port_name ); diff --git a/source3/rpc_client/init_spoolss.c b/source3/rpc_client/init_spoolss.c index 7e29cdc..8b66227 100644 --- a/source3/rpc_client/init_spoolss.c +++ b/source3/rpc_client/init_spoolss.c @@ -107,12 +107,12 @@ void spoolss_printerinfo2_to_setprinterinfo2(const struct spoolss_PrinterInfo2 * s->drivername = i->drivername; s->comment = i->comment; s->location = i->location; - s->devmode_ptr = NULL; + s->devmode_ptr = 0; s->sepfile = i->sepfile; s->printprocessor = i->printprocessor; s->datatype = i->datatype; s->parameters = i->parameters; - s->secdesc_ptr = NULL; + s->secdesc_ptr = 0; s->attributes = i->attributes; s->priority = i->priority; s->defaultpriority = i->defaultpriority; diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c index 3191e80..192a4e4 100644 --- a/source3/rpcclient/cmd_spoolss.c +++ b/source3/rpcclient/cmd_spoolss.c @@ -1825,8 +1825,8 @@ static WERROR cmd_spoolss_addprinterex(struct rpc_pipe_client *cli, info2.comment = "Created by rpcclient"; info2.printprocessor = "winprint"; info2.datatype = "RAW"; - info2.devmode_ptr = NULL; - info2.secdesc_ptr = NULL; + info2.devmode_ptr = 0; + info2.secdesc_ptr = 0; info2.attributes = PRINTER_ATTRIBUTE_SHARED; info2.priority = 0; info2.defaultpriority = 0; diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c index 52494b6..a161a14 100644 --- a/source4/torture/rpc/spoolss.c +++ b/source4/torture/rpc/spoolss.c @@ -244,12 +244,12 @@ static bool PrinterInfo_to_SetPrinterInfo(struct torture_context *tctx, s->info2->drivername = i->info2.drivername; s->info2->comment = i->info2.comment; s->info2->location = i->info2.location; - s->info2->devmode_ptr = NULL; + s->info2->devmode_ptr = 0; s->info2->sepfile = i->info2.sepfile; s->info2->printprocessor = i->info2.printprocessor; s->info2->datatype = i->info2.datatype; s->info2->parameters = i->info2.parameters; - s->info2->secdesc_ptr = NULL; + s->info2->secdesc_ptr = 0; s->info2->attributes = i->info2.attributes; s->info2->priority = i->info2.priority; s->info2->defaultpriority = i->info2.defaultpriority; @@ -1448,8 +1448,8 @@ static bool test_SetPrinter_errors(struct torture_context *tctx, static void clear_info2(struct spoolss_SetPrinterInfoCtr *r) { if ((r->level == 2) && (r->info.info2)) { - r->info.info2->secdesc_ptr = NULL; - r->info.info2->devmode_ptr = NULL; + r->info.info2->secdesc_ptr = 0; + r->info.info2->devmode_ptr = 0; } } @@ -1922,7 +1922,7 @@ static bool test_sd_set_level(struct torture_context *tctx, } case 3: { - info3.sec_desc_ptr = NULL; + info3.sec_desc_ptr = 0; info_ctr.level = 3; info_ctr.info.info3 = &info3; @@ -2093,7 +2093,7 @@ static bool test_devmode_set_level(struct torture_context *tctx, case 8: { struct spoolss_SetPrinterInfo8 info8; - info8.devmode_ptr = NULL; + info8.devmode_ptr = 0; info_ctr.level = 8; info_ctr.info.info8 = &info8; diff --git a/source4/torture/rpc/spoolss_notify.c b/source4/torture/rpc/spoolss_notify.c index 945e653..928b619 100644 --- a/source4/torture/rpc/spoolss_notify.c +++ b/source4/torture/rpc/spoolss_notify.c @@ -391,12 +391,12 @@ static bool test_SetPrinter(struct torture_context *tctx, info2.drivername = info.info2.drivername; info2.comment = talloc_asprintf(tctx, "torture_comment %d\n", (int)time(NULL)); info2.location = info.info2.location; - info2.devmode_ptr = NULL; + info2.devmode_ptr = 0; info2.sepfile = info.info2.sepfile; info2.printprocessor = info.info2.printprocessor; info2.datatype = info.info2.datatype; info2.parameters = info.info2.parameters; - info2.secdesc_ptr = NULL; + info2.secdesc_ptr = 0; info2.attributes = info.info2.attributes; info2.priority = info.info2.priority; info2.defaultpriority = info.info2.defaultpriority; -- 2.10.2 From f202c5be54185855b7d5dc97332ec273906a254b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 11 Nov 2016 19:17:55 +0100 Subject: [PATCH 2/2] s4-torture: add spoolss_SetPrinter ndr test to validate secdesc_ptr BUG: https://bugzilla.samba.org/show_bug.cgi?id=11197 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison (cherry picked from commit 574dd65a8185c90828e49b295d89153bae1563bf) --- source4/torture/ndr/spoolss.c | 57 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/source4/torture/ndr/spoolss.c b/source4/torture/ndr/spoolss.c index 5818fdf..960abd2 100644 --- a/source4/torture/ndr/spoolss.c +++ b/source4/torture/ndr/spoolss.c @@ -1768,6 +1768,61 @@ static bool rpcsetjobnamedproperty_req_check(struct torture_context *tctx, return true; } +static const uint8_t setprinter_level_3_xpsp3_req_data[] = { + 0x00, 0x00, 0x00, 0x00, 0x3c, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x2b, 0x55, 0x94, 0xbe, 0x50, 0x28, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0xd1, 0xe9, 0x06, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x02, 0x00, 0xb4, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x80, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0xa0, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x18, 0x00, 0x0c, 0x00, 0x0f, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, + 0x00, 0x09, 0x18, 0x00, 0x30, 0x00, 0x0f, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x02, 0x00, 0x01, 0x05, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xa4, 0xc0, 0x7d, 0x3b, + 0xcc, 0xce, 0x29, 0xa7, 0xd1, 0xc7, 0xe9, 0xd4, 0x50, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x18, 0x00, 0x0c, 0x00, 0x0f, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x26, 0x02, 0x00, 0x00, + 0x00, 0x09, 0x18, 0x00, 0x30, 0x00, 0x0f, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x26, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x14, 0x00, 0x08, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +static bool setprinter_level_3_xpsp3_req_check(struct torture_context *tctx, + struct spoolss_SetPrinter *r) +{ + struct GUID guid; + + torture_assert_ntstatus_ok(tctx, + GUID_from_string("0000053c-0000-0000-2b55-94be50280000", &guid), + "failed to parse GUID"); + torture_assert_int_equal(tctx, r->in.handle->handle_type, 0, "handle_type"); + torture_assert_guid_equal(tctx, r->in.handle->uuid, guid, "handle.uuid"); + + torture_assert(tctx, r->in.info_ctr, "info_ctr"); + torture_assert_int_equal(tctx, r->in.info_ctr->level, 3, "level"); + torture_assert_int_equal(tctx, r->in.info_ctr->info.info3->sec_desc_ptr, 0x06e9d108, "sec_desc_ptr"); + + torture_assert(tctx, r->in.devmode_ctr, "devmode_ctr"); + torture_assert_int_equal(tctx, r->in.devmode_ctr->_ndr_size, 0, "_ndr_size"); + torture_assert(tctx, r->in.devmode_ctr->devmode == NULL, "devmode"); + + torture_assert(tctx, r->in.secdesc_ctr, "secdesc_ctr"); + torture_assert_int_equal(tctx, r->in.secdesc_ctr->sd_size, 0x000000b4, "sd_size"); + torture_assert_int_equal(tctx, r->in.secdesc_ctr->sd->revision, SECURITY_DESCRIPTOR_REVISION_1, "revision"); + torture_assert_int_equal(tctx, r->in.secdesc_ctr->sd->type, 0x8004, "type"); + torture_assert(tctx, r->in.secdesc_ctr->sd, "sd"); + torture_assert(tctx, r->in.secdesc_ctr->sd->owner_sid == NULL, "owner_sid"); + torture_assert(tctx, r->in.secdesc_ctr->sd->group_sid == NULL, "group_sid"); + torture_assert(tctx, r->in.secdesc_ctr->sd->sacl == NULL, "sacl"); + torture_assert(tctx, r->in.secdesc_ctr->sd->dacl, "dacl"); + + return true; +} + struct torture_suite *ndr_spoolss_suite(TALLOC_CTX *ctx) { struct torture_suite *suite = torture_suite_create(ctx, "spoolss"); @@ -1831,5 +1886,7 @@ struct torture_suite *ndr_spoolss_suite(TALLOC_CTX *ctx) torture_suite_add_ndr_pull_fn_test(suite, spoolss_RpcSetJobNamedProperty, rpcsetjobnamedproperty_req_data, NDR_IN, rpcsetjobnamedproperty_req_check); + torture_suite_add_ndr_pull_fn_test(suite, spoolss_SetPrinter, setprinter_level_3_xpsp3_req_data, NDR_IN, setprinter_level_3_xpsp3_req_check); + return suite; } -- 2.10.2