Bug 14572 - NULL pointer dereference in token_contains_name()
Summary: NULL pointer dereference in token_contains_name()
Status: RESOLVED DUPLICATE of bug 14568
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Printing (show other bugs)
Version: 4.12.9
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-11 09:18 UTC by Richard Schütz
Modified: 2020-11-12 16:58 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Schütz 2020-11-11 09:18:00 UTC 
After upgrading from 4.10.18-SerNet-Ubuntu-10.bionic to 4.12.9-SerNet-Ubuntu-9.bionic smbd segfaults when a shared printer is accessed and smb.conf contains invalid users configuration.

_spoolss_OpenPrinterEx() from the printing code calls user_ok_token() with domain=NULL which finally leads to a NULL pointer dereference by strlen() in token_contains_name().

This is a regression introduced by commit 5de7c91e6d4e98f438157a7675c8582cabdd828d ("s3:smbd: Fix %U substitutions if it contains a domain name").
Comment 1 Samba QA Contact 2020-11-12 15:14:21 UTC 
This bug was referenced in samba master:

8036bf9717f83e83c3e4a9cf00fded42e9a5de15
Comment 2 Jeremy Allison 2020-11-12 16:39:35 UTC 

*** This bug has been marked as a duplicate of bug 14568 ***
Comment 3 Jeremy Allison 2020-11-12 16:58:11 UTC 
Oh, looks like you fixed this in a different way by modifying the underlying called code.

I'm pretty sure this is the same bug though as 14568 though. I don't think your fix is actually needed as we ensure the all the callers now pass
info->domain_name here. Still, doesn't hurt to check ther.