Changeset 26 for trunk/samba/source/smbd/lanman.c
- Timestamp:
- Apr 10, 2007, 5:27:38 AM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/samba/source/smbd/lanman.c
r1 r26 3 3 Inter-process communication and named pipe handling 4 4 Copyright (C) Andrew Tridgell 1992-1998 5 Copyright (C) Jeremy Allison 2007. 5 6 6 7 SMB Version handling … … 51 52 #define SHPWLEN 8 /* share password length */ 52 53 53 static BOOL api_Unsupported(connection_struct *conn,uint16 vuid, char *param, char *data, 54 int mdrcnt, int mprcnt, 55 char **rdata, char **rparam, 56 int *rdata_len, int *rparam_len); 54 static BOOL api_Unsupported(connection_struct *conn, uint16 vuid, 55 char *param, int tpscnt, 56 char *data, int tdscnt, 57 int mdrcnt, int mprcnt, 58 char **rdata, char **rparam, 59 int *rdata_len, int *rparam_len); 60 57 61 static BOOL api_TooSmall(connection_struct *conn, uint16 vuid, char *param, char *data, 58 62 int mdrcnt, int mprcnt, … … 438 442 break; 439 443 default: 444 DEBUG(0,("check_printq_info: invalid level %d\n", 445 uLevel )); 440 446 return False; 441 447 } 442 if (strcmp(desc->format,id1) != 0) { 443 return False; 444 } 445 if (desc->subformat && strcmp(desc->subformat,id2) != 0) { 448 if (id1 == NULL || strcmp(desc->format,id1) != 0) { 449 DEBUG(0,("check_printq_info: invalid format %s\n", 450 id1 ? id1 : "<NULL>" )); 451 return False; 452 } 453 if (desc->subformat && (id2 == NULL || strcmp(desc->subformat,id2) != 0)) { 454 DEBUG(0,("check_printq_info: invalid subformat %s\n", 455 id2 ? id2 : "<NULL>" )); 446 456 return False; 447 457 } … … 586 596 goto err; 587 597 } 588 598 589 599 if ( !W_ERROR_IS_OK(get_a_printer_driver(&driver, 3, printer->info_2->drivername, 590 600 "Windows 4.0", 0)) ) … … 598 608 trim_string(driver.info_3->datafile, "\\print$\\WIN40\\0\\", 0); 599 609 trim_string(driver.info_3->helpfile, "\\print$\\WIN40\\0\\", 0); 600 610 601 611 PACKI(desc, "W", 0x0400); /* don't know */ 602 612 PACKS(desc, "z", driver.info_3->name); /* long printer name */ … … 604 614 PACKS(desc, "z", driver.info_3->datafile); /* Datafile name */ 605 615 PACKS(desc, "z", driver.info_3->monitorname); /* language monitor */ 606 616 607 617 fstrcpy(location, "\\\\%L\\print$\\WIN40\\0"); 608 618 standard_sub_basic( "", "", location, sizeof(location)-1 ); 609 619 PACKS(desc,"z", location); /* share to retrieve files */ 610 620 611 621 PACKS(desc,"z", driver.info_3->defaultdatatype); /* default data type */ 612 622 PACKS(desc,"z", driver.info_3->helpfile); /* helpfile name */ … … 628 638 DEBUG(3,("Dependent File: %s:\n",driver.info_3->dependentfiles[i])); 629 639 } 630 640 631 641 /* sanity check */ 632 642 if ( i != count ) 633 643 DEBUG(3,("fill_printq_info_52: file count specified by client [%d] != number of dependent files [%i]\n", 634 644 count, i)); 635 645 636 646 DEBUG(3,("fill_printq_info on <%s> gave %d entries\n", SERVICE(snum),i)); 637 647 … … 646 656 if ( printer ) 647 657 free_a_printer( &printer, 2 ); 648 658 649 659 if ( driver.info_3 ) 650 660 free_a_printer_driver( driver, 3 ); … … 744 754 goto done; 745 755 } 746 756 747 757 if ( !W_ERROR_IS_OK(get_a_printer_driver(&driver, 3, printer->info_2->drivername, 748 758 "Windows 4.0", 0)) ) … … 752 762 goto done; 753 763 } 754 764 755 765 /* count the number of files */ 756 766 while ( driver.info_3->dependentfiles && *driver.info_3->dependentfiles[result] ) … … 760 770 if ( printer ) 761 771 free_a_printer( &printer, 2 ); 762 772 763 773 if ( driver.info_3 ) 764 774 free_a_printer_driver( driver, 3 ); 765 775 766 776 return result; 767 777 } 768 778 769 static BOOL api_DosPrintQGetInfo(connection_struct *conn, 770 uint16 vuid, char *param,char *data, 771 int mdrcnt,int mprcnt, 772 char **rdata,char **rparam, 773 int *rdata_len,int *rparam_len) 774 { 775 char *str1 = param+2; 776 char *str2 = skip_string(str1,1); 777 char *p = skip_string(str2,1); 779 static BOOL api_DosPrintQGetInfo(connection_struct *conn, uint16 vuid, 780 char *param, int tpscnt, 781 char *data, int tdscnt, 782 int mdrcnt,int mprcnt, 783 char **rdata,char **rparam, 784 int *rdata_len,int *rparam_len) 785 { 786 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 787 char *str2 = skip_string(param,tpscnt,str1); 788 char *p = skip_string(param,tpscnt,str2); 778 789 char *QueueName = p; 779 790 unsigned int uLevel; 780 791 int count=0; 781 792 int snum; 782 char *str3;793 char *str3; 783 794 struct pack_desc desc; 784 795 print_queue_struct *queue=NULL; … … 786 797 char* tmpdata=NULL; 787 798 799 if (!str1 || !str2 || !p) { 800 return False; 801 } 788 802 memset((char *)&status,'\0',sizeof(status)); 789 803 memset((char *)&desc,'\0',sizeof(desc)); 790 791 p = skip_string(p,1); 792 uLevel = SVAL(p,0); 793 str3 = p + 4; 794 804 805 p = skip_string(param,tpscnt,p); 806 if (!p) { 807 return False; 808 } 809 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 810 str3 = get_safe_str_ptr(param,tpscnt,p,4); 811 /* str3 may be null here and is checked in check_printq_info(). */ 812 795 813 /* remove any trailing username */ 796 814 if ((p = strchr_m(QueueName,'%'))) … … 884 902 ****************************************************************************/ 885 903 886 static BOOL api_DosPrintQEnum(connection_struct *conn, uint16 vuid, char* param, char* data, 887 int mdrcnt, int mprcnt, 888 char **rdata, char** rparam, 889 int *rdata_len, int *rparam_len) 890 { 891 char *param_format = param+2; 892 char *output_format1 = skip_string(param_format,1); 893 char *p = skip_string(output_format1,1); 894 unsigned int uLevel = SVAL(p,0); 895 char *output_format2 = p + 4; 904 static BOOL api_DosPrintQEnum(connection_struct *conn, uint16 vuid, 905 char *param, int tpscnt, 906 char *data, int tdscnt, 907 int mdrcnt, int mprcnt, 908 char **rdata, char** rparam, 909 int *rdata_len, int *rparam_len) 910 { 911 char *param_format = get_safe_str_ptr(param,tpscnt,param,2); 912 char *output_format1 = skip_string(param,tpscnt,param_format); 913 char *p = skip_string(param,tpscnt,output_format1); 914 unsigned int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 915 char *output_format2 = get_safe_str_ptr(param,tpscnt,p,4); 896 916 int services = lp_numservices(); 897 917 int i, n; … … 902 922 int queuecnt = 0, subcnt = 0, succnt = 0; 903 923 924 if (!param_format || !output_format1 || !p) { 925 return False; 926 } 927 904 928 memset((char *)&desc,'\0',sizeof(desc)); 905 929 … … 1253 1277 ****************************************************************************/ 1254 1278 1255 static BOOL api_RNetServerEnum(connection_struct *conn, uint16 vuid, char *param, char *data, 1256 int mdrcnt, int mprcnt, char **rdata, 1257 char **rparam, int *rdata_len, int *rparam_len) 1258 { 1259 char *str1 = param+2; 1260 char *str2 = skip_string(str1,1); 1261 char *p = skip_string(str2,1); 1262 int uLevel = SVAL(p,0); 1263 int buf_len = SVAL(p,2); 1264 uint32 servertype = IVAL(p,4); 1279 static BOOL api_RNetServerEnum(connection_struct *conn, uint16 vuid, 1280 char *param, int tpscnt, 1281 char *data, int tdscnt, 1282 int mdrcnt, int mprcnt, char **rdata, 1283 char **rparam, int *rdata_len, int *rparam_len) 1284 { 1285 char *str1 = get_safe_str_ptr(param, tpscnt, param, 2); 1286 char *str2 = skip_string(param,tpscnt,str1); 1287 char *p = skip_string(param,tpscnt,str2); 1288 int uLevel = get_safe_SVAL(param, tpscnt, p, 0, -1); 1289 int buf_len = get_safe_SVAL(param,tpscnt, p, 2, 0); 1290 uint32 servertype = get_safe_IVAL(param,tpscnt,p,4, 0); 1265 1291 char *p2; 1266 1292 int data_len, fixed_len, string_len; … … 1273 1299 BOOL local_request; 1274 1300 1301 if (!str1 || !str2 || !p) { 1302 return False; 1303 } 1304 1275 1305 /* If someone sets all the bits they don't really mean to set 1276 1306 DOMAIN_ENUM and LOCAL_LIST_ONLY, they just want all the … … 1308 1338 1309 1339 if (strcmp(str1, "WrLehDz") == 0) { 1340 if (skip_string(param,tpscnt,p) == NULL) { 1341 return False; 1342 } 1310 1343 pull_ascii_fstring(domain, p); 1311 1344 } else { … … 1400 1433 ****************************************************************************/ 1401 1434 1402 static BOOL api_RNetGroupGetUsers(connection_struct *conn, uint16 vuid, char *param, char *data, 1403 int mdrcnt, int mprcnt, char **rdata, 1404 char **rparam, int *rdata_len, int *rparam_len) 1405 { 1406 char *str1 = param+2; 1407 char *str2 = skip_string(str1,1); 1408 char *p = skip_string(str2,1); 1409 int uLevel = SVAL(p,0); 1410 int buf_len = SVAL(p,2); 1435 static BOOL api_RNetGroupGetUsers(connection_struct *conn, uint16 vuid, 1436 char *param, int tpscnt, 1437 char *data, int tdscnt, 1438 int mdrcnt, int mprcnt, char **rdata, 1439 char **rparam, int *rdata_len, int *rparam_len) 1440 { 1441 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 1442 char *str2 = skip_string(param,tpscnt,str1); 1443 char *p = skip_string(param,tpscnt,str2); 1444 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 1445 int buf_len = get_safe_SVAL(param,tpscnt,p,2,0); 1411 1446 int counted=0; 1412 1447 int missed=0; 1448 1449 if (!str1 || !str2 || !p) { 1450 return False; 1451 } 1413 1452 1414 1453 DEBUG(5,("RNetGroupGetUsers: %s %s %s %d %d\n", … … 1583 1622 } 1584 1623 1585 static BOOL api_RNetShareGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 1586 int mdrcnt,int mprcnt, 1587 char **rdata,char **rparam, 1588 int *rdata_len,int *rparam_len) 1589 { 1590 char *str1 = param+2; 1591 char *str2 = skip_string(str1,1); 1592 char *netname = skip_string(str2,1); 1593 char *p = skip_string(netname,1); 1594 int uLevel = SVAL(p,0); 1595 int snum = find_service(netname); 1624 static BOOL api_RNetShareGetInfo(connection_struct *conn,uint16 vuid, 1625 char *param, int tpscnt, 1626 char *data, int tdscnt, 1627 int mdrcnt,int mprcnt, 1628 char **rdata,char **rparam, 1629 int *rdata_len,int *rparam_len) 1630 { 1631 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 1632 char *str2 = skip_string(param,tpscnt,str1); 1633 char *netname = skip_string(param,tpscnt,str2); 1634 char *p = skip_string(param,tpscnt,netname); 1635 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 1636 int snum; 1596 1637 1638 if (!str1 || !str2 || !netname || !p) { 1639 return False; 1640 } 1641 1642 snum = find_service(netname); 1597 1643 if (snum < 0) { 1598 1644 return False; … … 1639 1685 ****************************************************************************/ 1640 1686 1641 static BOOL api_RNetShareEnum( connection_struct *conn, 1642 uint16 vuid, 1643 char *param, 1644 char *data, 1645 int mdrcnt, 1646 int mprcnt, 1647 char **rdata, 1648 char **rparam, 1649 int *rdata_len, 1650 int *rparam_len ) 1651 { 1652 char *str1 = param+2; 1653 char *str2 = skip_string(str1,1); 1654 char *p = skip_string(str2,1); 1655 int uLevel = SVAL(p,0); 1656 int buf_len = SVAL(p,2); 1687 static BOOL api_RNetShareEnum( connection_struct *conn, uint16 vuid, 1688 char *param, int tpscnt, 1689 char *data, int tdscnt, 1690 int mdrcnt, 1691 int mprcnt, 1692 char **rdata, 1693 char **rparam, 1694 int *rdata_len, 1695 int *rparam_len ) 1696 { 1697 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 1698 char *str2 = skip_string(param,tpscnt,str1); 1699 char *p = skip_string(param,tpscnt,str2); 1700 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 1701 int buf_len = get_safe_SVAL(param,tpscnt,p,2,0); 1657 1702 char *p2; 1658 1703 int count = 0; … … 1663 1708 int f_len = 0, s_len = 0; 1664 1709 1710 if (!str1 || !str2 || !p) { 1711 return False; 1712 } 1713 1665 1714 if (!prefix_ok(str1,"WrLeh")) { 1666 1715 return False; … … 1743 1792 ****************************************************************************/ 1744 1793 1745 static BOOL api_RNetShareAdd(connection_struct *conn,uint16 vuid, char *param,char *data, 1746 int mdrcnt,int mprcnt, 1747 char **rdata,char **rparam, 1748 int *rdata_len,int *rparam_len) 1749 { 1750 char *str1 = param+2; 1751 char *str2 = skip_string(str1,1); 1752 char *p = skip_string(str2,1); 1753 int uLevel = SVAL(p,0); 1794 static BOOL api_RNetShareAdd(connection_struct *conn,uint16 vuid, 1795 char *param, int tpscnt, 1796 char *data, int tdscnt, 1797 int mdrcnt,int mprcnt, 1798 char **rdata,char **rparam, 1799 int *rdata_len,int *rparam_len) 1800 { 1801 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 1802 char *str2 = skip_string(param,tpscnt,str1); 1803 char *p = skip_string(param,tpscnt,str2); 1804 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 1754 1805 fstring sharename; 1755 1806 fstring comment; … … 1760 1811 int res = ERRunsup; 1761 1812 1813 if (!str1 || !str2 || !p) { 1814 return False; 1815 } 1816 1762 1817 /* check it's a supported varient */ 1763 1818 if (!prefix_ok(str1,RAP_WShareAdd_REQ)) { … … 1771 1826 } 1772 1827 1828 /* Do we have a string ? */ 1829 if (skip_string(data,mdrcnt,data) == NULL) { 1830 return False; 1831 } 1773 1832 pull_ascii_fstring(sharename,data); 1774 1833 snum = find_service(sharename); … … 1778 1837 } 1779 1838 1839 if (mdrcnt < 28) { 1840 return False; 1841 } 1842 1780 1843 /* only support disk share adds */ 1781 1844 if (SVAL(data,14)!=STYPE_DISKTREE) { … … 1789 1852 } 1790 1853 1854 /* Do we have a string ? */ 1855 if (skip_string(data,mdrcnt,data+offset) == NULL) { 1856 return False; 1857 } 1791 1858 pull_ascii_fstring(comment, offset? (data+offset) : ""); 1792 1859 … … 1798 1865 } 1799 1866 1867 /* Do we have a string ? */ 1868 if (skip_string(data,mdrcnt,data+offset) == NULL) { 1869 return False; 1870 } 1800 1871 pull_ascii_pstring(pathname, offset? (data+offset) : ""); 1801 1872 … … 1858 1929 ****************************************************************************/ 1859 1930 1860 static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 1861 int mdrcnt,int mprcnt, 1862 char **rdata,char **rparam, 1863 int *rdata_len,int *rparam_len) 1931 static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, 1932 char *param, int tpscnt, 1933 char *data, int tdscnt, 1934 int mdrcnt,int mprcnt, 1935 char **rdata,char **rparam, 1936 int *rdata_len,int *rparam_len) 1864 1937 { 1865 1938 int i; 1866 1939 int errflags=0; 1867 1940 int resume_context, cli_buf_size; 1868 char *str1 = param+2;1869 char *str2 = skip_string( str1,1);1870 char *p = skip_string( str2,1);1941 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 1942 char *str2 = skip_string(param,tpscnt,str1); 1943 char *p = skip_string(param,tpscnt,str2); 1871 1944 1872 1945 struct pdb_search *search; … … 1875 1948 int num_entries; 1876 1949 1950 if (!str1 || !str2 || !p) { 1951 return False; 1952 } 1953 1877 1954 if (strcmp(str1,"WrLeh") != 0) { 1878 1955 return False; … … 1901 1978 } 1902 1979 1903 resume_context = SVAL(p,0);1904 cli_buf_size= SVAL(p+2,0);1980 resume_context = get_safe_SVAL(param,tpscnt,p,0,-1); 1981 cli_buf_size= get_safe_SVAL(param,tpscnt,p,2,0); 1905 1982 DEBUG(10,("api_RNetGroupEnum:resume context: %d, client buffer size: " 1906 1983 "%d\n", resume_context, cli_buf_size)); … … 1958 2035 ******************************************************************/ 1959 2036 1960 static BOOL api_NetUserGetGroups(connection_struct *conn,uint16 vuid, char *param,char *data, 1961 int mdrcnt,int mprcnt, 1962 char **rdata,char **rparam, 1963 int *rdata_len,int *rparam_len) 1964 { 1965 char *str1 = param+2; 1966 char *str2 = skip_string(str1,1); 1967 char *UserName = skip_string(str2,1); 1968 char *p = skip_string(UserName,1); 1969 int uLevel = SVAL(p,0); 2037 static BOOL api_NetUserGetGroups(connection_struct *conn,uint16 vuid, 2038 char *param, int tpscnt, 2039 char *data, int tdscnt, 2040 int mdrcnt,int mprcnt, 2041 char **rdata,char **rparam, 2042 int *rdata_len,int *rparam_len) 2043 { 2044 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2045 char *str2 = skip_string(param,tpscnt,str1); 2046 char *UserName = skip_string(param,tpscnt,str2); 2047 char *p = skip_string(param,tpscnt,UserName); 2048 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 1970 2049 const char *level_string; 1971 2050 int count=0; … … 1981 2060 TALLOC_CTX *mem_ctx; 1982 2061 2062 if (!str1 || !str2 || !UserName || !p) { 2063 return False; 2064 } 2065 1983 2066 *rparam_len = 8; 1984 2067 *rparam = SMB_REALLOC_LIMIT(*rparam,*rparam_len); … … 2091 2174 ******************************************************************/ 2092 2175 2093 static BOOL api_RNetUserEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 2094 int mdrcnt,int mprcnt, 2095 char **rdata,char **rparam, 2096 int *rdata_len,int *rparam_len) 2176 static BOOL api_RNetUserEnum(connection_struct *conn, uint16 vuid, 2177 char *param, int tpscnt, 2178 char *data, int tdscnt, 2179 int mdrcnt,int mprcnt, 2180 char **rdata,char **rparam, 2181 int *rdata_len,int *rparam_len) 2097 2182 { 2098 2183 int count_sent=0; … … 2103 2188 struct samr_displayentry *users; 2104 2189 2105 char *str1 = param+2; 2106 char *str2 = skip_string(str1,1); 2107 char *p = skip_string(str2,1); 2190 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2191 char *str2 = skip_string(param,tpscnt,str1); 2192 char *p = skip_string(param,tpscnt,str2); 2193 2194 if (!str1 || !str2 || !p) { 2195 return False; 2196 } 2108 2197 2109 2198 if (strcmp(str1,"WrLeh") != 0) … … 2117 2206 */ 2118 2207 2119 resume_context = SVAL(p,0);2120 cli_buf_size= SVAL(p+2,0);2208 resume_context = get_safe_SVAL(param,tpscnt,p,0,-1); 2209 cli_buf_size= get_safe_SVAL(param,tpscnt,p,2,0); 2121 2210 DEBUG(10,("api_RNetUserEnum:resume context: %d, client buffer size: %d\n", 2122 2211 resume_context, cli_buf_size)); … … 2189 2278 ****************************************************************************/ 2190 2279 2191 static BOOL api_NetRemoteTOD(connection_struct *conn,uint16 vuid, char *param,char *data, 2192 int mdrcnt,int mprcnt, 2193 char **rdata,char **rparam, 2194 int *rdata_len,int *rparam_len) 2280 static BOOL api_NetRemoteTOD(connection_struct *conn,uint16 vuid, 2281 char *param, int tpscnt, 2282 char *data, int tdscnt, 2283 int mdrcnt,int mprcnt, 2284 char **rdata,char **rparam, 2285 int *rdata_len,int *rparam_len) 2195 2286 { 2196 2287 struct tm *t; … … 2245 2336 *****************************************************************************/ 2246 2337 2247 static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param,char *data, 2338 static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, 2339 char *param, int tpscnt, 2340 char *data, int tdscnt, 2248 2341 int mdrcnt,int mprcnt, 2249 2342 char **rdata,char **rparam, 2250 2343 int *rdata_len,int *rparam_len) 2251 2344 { 2252 char *p = skip_string(param+2,2); 2345 char *np = get_safe_str_ptr(param,tpscnt,param,2); 2346 char *p = NULL; 2253 2347 fstring user; 2254 2348 fstring pass1,pass2; 2255 2349 2350 /* Skip 2 strings. */ 2351 p = skip_string(param,tpscnt,np); 2352 p = skip_string(param,tpscnt,p); 2353 2354 if (!np || !p) { 2355 return False; 2356 } 2357 2358 /* Do we have a string ? */ 2359 if (skip_string(param,tpscnt,p) == NULL) { 2360 return False; 2361 } 2256 2362 pull_ascii_fstring(user,p); 2257 2363 2258 p = skip_string(p,1); 2364 p = skip_string(param,tpscnt,p); 2365 if (!p) { 2366 return False; 2367 } 2259 2368 2260 2369 memset(pass1,'\0',sizeof(pass1)); 2261 2370 memset(pass2,'\0',sizeof(pass2)); 2371 /* 2372 * We use 31 here not 32 as we're checking 2373 * the last byte we want to access is safe. 2374 */ 2375 if (!is_offset_safe(param,tpscnt,p,31)) { 2376 return False; 2377 } 2262 2378 memcpy(pass1,p,16); 2263 2379 memcpy(pass2,p+16,16); … … 2331 2447 ****************************************************************************/ 2332 2448 2333 static BOOL api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, char *param,char *data, 2449 static BOOL api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, 2450 char *param, int tpscnt, 2451 char *data, int tdscnt, 2334 2452 int mdrcnt,int mprcnt, 2335 2453 char **rdata,char **rparam, … … 2337 2455 { 2338 2456 fstring user; 2339 char *p = param + 2;2457 char *p = get_safe_str_ptr(param,tpscnt,param,2); 2340 2458 *rparam_len = 2; 2341 2459 *rparam = SMB_REALLOC_LIMIT(*rparam,*rparam_len); … … 2344 2462 } 2345 2463 2464 if (!p) { 2465 return False; 2466 } 2346 2467 *rdata_len = 0; 2347 2468 … … 2352 2473 */ 2353 2474 2354 if(!strequal(param + 2, "zsT")) { 2355 DEBUG(0,("api_SamOEMChangePassword: Invalid parameter string %s\n", param + 2)); 2356 return False; 2357 } 2358 p = skip_string(p, 1); 2359 2475 /* Do we have a string ? */ 2476 if (skip_string(param,tpscnt,p) == 0) { 2477 return False; 2478 } 2479 if(!strequal(p, "zsT")) { 2480 DEBUG(0,("api_SamOEMChangePassword: Invalid parameter string %s\n", p)); 2481 return False; 2482 } 2483 p = skip_string(param, tpscnt, p); 2484 if (!p) { 2485 return False; 2486 } 2487 2488 /* Do we have a string ? */ 2489 if (skip_string(param,tpscnt,p) == 0) { 2490 return False; 2491 } 2360 2492 if(!strequal(p, "B516B16")) { 2361 2493 DEBUG(0,("api_SamOEMChangePassword: Invalid data parameter string %s\n", p)); 2362 2494 return False; 2363 2495 } 2364 p = skip_string(p,1); 2496 p = skip_string(param,tpscnt,p); 2497 if (!p) { 2498 return False; 2499 } 2500 /* Do we have a string ? */ 2501 if (skip_string(param,tpscnt,p) == 0) { 2502 return False; 2503 } 2365 2504 p += pull_ascii_fstring(user,p); 2366 2505 … … 2386 2525 ****************************************************************************/ 2387 2526 2388 static BOOL api_RDosPrintJobDel(connection_struct *conn,uint16 vuid, char *param,char *data, 2527 static BOOL api_RDosPrintJobDel(connection_struct *conn,uint16 vuid, 2528 char *param, int tpscnt, 2529 char *data, int tdscnt, 2389 2530 int mdrcnt,int mprcnt, 2390 2531 char **rdata,char **rparam, 2391 2532 int *rdata_len,int *rparam_len) 2392 2533 { 2393 int function = SVAL(param,0);2394 char *str1 = param+2;2395 char *str2 = skip_string( str1,1);2396 char *p = skip_string( str2,1);2534 int function = get_safe_SVAL(param,tpscnt,param,0,0); 2535 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2536 char *str2 = skip_string(param,tpscnt,str1); 2537 char *p = skip_string(param,tpscnt,str2); 2397 2538 uint32 jobid; 2398 2539 int snum; … … 2401 2542 WERROR werr = WERR_OK; 2402 2543 2544 if (!str1 || !str2 || !p) { 2545 return False; 2546 } 2547 /* 2548 * We use 1 here not 2 as we're checking 2549 * the last byte we want to access is safe. 2550 */ 2551 if (!is_offset_safe(param,tpscnt,p,1)) { 2552 return False; 2553 } 2403 2554 if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid)) 2404 2555 return False; … … 2457 2608 ****************************************************************************/ 2458 2609 2459 static BOOL api_WPrintQueueCtrl(connection_struct *conn,uint16 vuid, char *param,char *data, 2460 int mdrcnt,int mprcnt, 2461 char **rdata,char **rparam, 2462 int *rdata_len,int *rparam_len) 2463 { 2464 int function = SVAL(param,0); 2465 char *str1 = param+2; 2466 char *str2 = skip_string(str1,1); 2467 char *QueueName = skip_string(str2,1); 2610 static BOOL api_WPrintQueueCtrl(connection_struct *conn,uint16 vuid, 2611 char *param, int tpscnt, 2612 char *data, int tdscnt, 2613 int mdrcnt,int mprcnt, 2614 char **rdata,char **rparam, 2615 int *rdata_len,int *rparam_len) 2616 { 2617 int function = get_safe_SVAL(param,tpscnt,param,0,0); 2618 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2619 char *str2 = skip_string(param,tpscnt,str1); 2620 char *QueueName = skip_string(param,tpscnt,str2); 2468 2621 int errcode = NERR_notsupported; 2469 2622 int snum; 2470 2623 WERROR werr = WERR_OK; 2471 2624 2625 if (!str1 || !str2 || !QueueName) { 2626 return False; 2627 } 2628 2472 2629 /* check it's a supported varient */ 2473 2630 if (!(strcsequal(str1,"z") && strcsequal(str2,""))) … … 2481 2638 *rdata_len = 0; 2482 2639 2640 if (skip_string(param,tpscnt,QueueName) == NULL) { 2641 return False; 2642 } 2483 2643 snum = print_queue_snum(QueueName); 2484 2644 … … 2527 2687 case 3: desc->format = "WWzWWDDzzzzzzzzzzlz"; break; 2528 2688 case 4: desc->format = "WWzWWDDzzzzzDDDDDDD"; break; 2529 default: return False; 2530 } 2531 if (strcmp(desc->format,id) != 0) return False; 2689 default: 2690 DEBUG(0,("check_printjob_info: invalid level %d\n", 2691 uLevel )); 2692 return False; 2693 } 2694 if (id == NULL || strcmp(desc->format,id) != 0) { 2695 DEBUG(0,("check_printjob_info: invalid format %s\n", 2696 id ? id : "<NULL>" )); 2697 return False; 2698 } 2532 2699 return True; 2533 2700 } 2534 2701 2535 static BOOL api_PrintJobInfo(connection_struct *conn,uint16 vuid,char *param,char *data, 2536 int mdrcnt,int mprcnt, 2537 char **rdata,char **rparam, 2538 int *rdata_len,int *rparam_len) 2702 static BOOL api_PrintJobInfo(connection_struct *conn, uint16 vuid, 2703 char *param, int tpscnt, 2704 char *data, int tdscnt, 2705 int mdrcnt,int mprcnt, 2706 char **rdata,char **rparam, 2707 int *rdata_len,int *rparam_len) 2539 2708 { 2540 2709 struct pack_desc desc; 2541 char *str1 = param+2;2542 char *str2 = skip_string( str1,1);2543 char *p = skip_string( str2,1);2710 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2711 char *str2 = skip_string(param,tpscnt,str1); 2712 char *p = skip_string(param,tpscnt,str2); 2544 2713 uint32 jobid; 2545 2714 fstring sharename; 2546 int uLevel = SVAL(p,2);2547 int function = SVAL(p,4);2715 int uLevel = get_safe_SVAL(param,tpscnt,p,2,-1); 2716 int function = get_safe_SVAL(param,tpscnt,p,4,-1); 2548 2717 int place, errcode; 2549 2718 2719 if (!str1 || !str2 || !p) { 2720 return False; 2721 } 2722 /* 2723 * We use 1 here not 2 as we're checking 2724 * the last byte we want to access is safe. 2725 */ 2726 if (!is_offset_safe(param,tpscnt,p,1)) { 2727 return False; 2728 } 2550 2729 if(!rap_to_pjobid(SVAL(p,0), sharename, &jobid)) 2551 2730 return False; … … 2609 2788 ****************************************************************************/ 2610 2789 2611 static BOOL api_RNetServerGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 2612 int mdrcnt,int mprcnt, 2613 char **rdata,char **rparam, 2614 int *rdata_len,int *rparam_len) 2615 { 2616 char *str1 = param+2; 2617 char *str2 = skip_string(str1,1); 2618 char *p = skip_string(str2,1); 2619 int uLevel = SVAL(p,0); 2790 static BOOL api_RNetServerGetInfo(connection_struct *conn,uint16 vuid, 2791 char *param, int tpscnt, 2792 char *data, int tdscnt, 2793 int mdrcnt,int mprcnt, 2794 char **rdata,char **rparam, 2795 int *rdata_len,int *rparam_len) 2796 { 2797 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2798 char *str2 = skip_string(param,tpscnt,str1); 2799 char *p = skip_string(param,tpscnt,str2); 2800 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 2620 2801 char *p2; 2621 2802 int struct_len; 2803 2804 if (!str1 || !str2 || !p) { 2805 return False; 2806 } 2622 2807 2623 2808 DEBUG(4,("NetServerGetInfo level %d\n",uLevel)); … … 2715 2900 comment, sizeof(comment)); 2716 2901 StrnCpy(p2,comment,MAX(mdrcnt - struct_len,0)); 2717 p2 = skip_string(p2,1); 2902 p2 = skip_string(*rdata,*rdata_len,p2); 2903 if (!p2) { 2904 return False; 2905 } 2718 2906 } 2719 2907 } … … 2741 2929 ****************************************************************************/ 2742 2930 2743 static BOOL api_NetWkstaGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 2931 static BOOL api_NetWkstaGetInfo(connection_struct *conn,uint16 vuid, 2932 char *param, int tpscnt, 2933 char *data, int tdscnt, 2744 2934 int mdrcnt,int mprcnt, 2745 2935 char **rdata,char **rparam, 2746 2936 int *rdata_len,int *rparam_len) 2747 2937 { 2748 char *str1 = param+2;2749 char *str2 = skip_string( str1,1);2750 char *p = skip_string( str2,1);2938 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 2939 char *str2 = skip_string(param,tpscnt,str1); 2940 char *p = skip_string(param,tpscnt,str2); 2751 2941 char *p2; 2752 int level = SVAL(p,0); 2942 int level = get_safe_SVAL(param,tpscnt,p,0,-1); 2943 2944 if (!str1 || !str2 || !p) { 2945 return False; 2946 } 2753 2947 2754 2948 DEBUG(4,("NetWkstaGetInfo level %d\n",level)); … … 2775 2969 2776 2970 p = *rdata; 2777 p2 = p + 22; 2971 p2 = get_safe_ptr(*rdata,*rdata_len,p,22); 2972 if (!p2) { 2973 return False; 2974 } 2778 2975 2779 2976 SIVAL(p,0,PTR_DIFF(p2,*rdata)); /* host name */ 2780 2977 pstrcpy(p2,get_local_machine_name()); 2781 2978 strupper_m(p2); 2782 p2 = skip_string(p2,1); 2979 p2 = skip_string(*rdata,*rdata_len,p2); 2980 if (!p2) { 2981 return False; 2982 } 2783 2983 p += 4; 2784 2984 2785 2985 SIVAL(p,0,PTR_DIFF(p2,*rdata)); 2786 2986 pstrcpy(p2,current_user_info.smb_name); 2787 p2 = skip_string(p2,1); 2987 p2 = skip_string(*rdata,*rdata_len,p2); 2988 if (!p2) { 2989 return False; 2990 } 2788 2991 p += 4; 2789 2992 … … 2791 2994 pstrcpy(p2,lp_workgroup()); 2792 2995 strupper_m(p2); 2793 p2 = skip_string(p2,1); 2996 p2 = skip_string(*rdata,*rdata_len,p2); 2997 if (!p2) { 2998 return False; 2999 } 2794 3000 p += 4; 2795 3001 … … 2800 3006 SIVAL(p,0,PTR_DIFF(p2,*rdata)); 2801 3007 pstrcpy(p2,lp_workgroup()); /* don't know. login domain?? */ 2802 p2 = skip_string(p2,1); 3008 p2 = skip_string(*rdata,*rdata_len,p2); 3009 if (!p2) { 3010 return False; 3011 } 2803 3012 p += 4; 2804 3013 2805 3014 SIVAL(p,0,PTR_DIFF(p2,*rdata)); /* don't know */ 2806 3015 pstrcpy(p2,""); 2807 p2 = skip_string(p2,1); 3016 p2 = skip_string(*rdata,*rdata_len,p2); 3017 if (!p2) { 3018 return False; 3019 } 2808 3020 p += 4; 2809 3021 … … 2987 3199 2988 3200 2989 static BOOL api_RNetUserGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 3201 static BOOL api_RNetUserGetInfo(connection_struct *conn, uint16 vuid, 3202 char *param, int tpscnt, 3203 char *data, int tdscnt, 2990 3204 int mdrcnt,int mprcnt, 2991 3205 char **rdata,char **rparam, 2992 3206 int *rdata_len,int *rparam_len) 2993 3207 { 2994 char *str1 = param+2;2995 char *str2 = skip_string( str1,1);2996 char *UserName = skip_string( str2,1);2997 char *p = skip_string( UserName,1);2998 int uLevel = SVAL(p,0);3208 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3209 char *str2 = skip_string(param,tpscnt,str1); 3210 char *UserName = skip_string(param,tpscnt,str2); 3211 char *p = skip_string(param,tpscnt,UserName); 3212 int uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 2999 3213 char *p2; 3000 3214 const char *level_string; … … 3009 3223 } 3010 3224 3225 if (!str1 || !str2 || !UserName || !p) { 3226 return False; 3227 } 3228 3011 3229 *rparam_len = 6; 3012 3230 *rparam = SMB_REALLOC_LIMIT(*rparam,*rparam_len); … … 3044 3262 3045 3263 p = *rdata; 3046 p2 = p + usri11_end; 3264 p2 = get_safe_ptr(*rdata,*rdata_len,p,usri11_end); 3265 if (!p2) { 3266 return False; 3267 } 3047 3268 3048 3269 memset(p,0,21); … … 3057 3278 SIVAL(p,usri11_comment,PTR_DIFF(p2,p)); /* comment */ 3058 3279 pstrcpy(p2,"Comment"); 3059 p2 = skip_string(p2,1); 3280 p2 = skip_string(*rdata,*rdata_len,p2); 3281 if (!p2) { 3282 return False; 3283 } 3060 3284 3061 3285 SIVAL(p,usri11_usr_comment,PTR_DIFF(p2,p)); /* user_comment */ 3062 3286 pstrcpy(p2,"UserComment"); 3063 p2 = skip_string(p2,1); 3287 p2 = skip_string(*rdata,*rdata_len,p2); 3288 if (!p2) { 3289 return False; 3290 } 3064 3291 3065 3292 /* EEK! the cifsrap.txt doesn't have this in!!!! */ 3066 3293 SIVAL(p,usri11_full_name,PTR_DIFF(p2,p)); /* full name */ 3067 3294 pstrcpy(p2,((vuser != NULL) ? vuser->user.full_name : UserName)); 3068 p2 = skip_string(p2,1); 3295 p2 = skip_string(*rdata,*rdata_len,p2); 3296 if (!p2) { 3297 return False; 3298 } 3069 3299 } 3070 3300 … … 3076 3306 SIVAL(p,usri11_homedir,PTR_DIFF(p2,p)); /* home dir */ 3077 3307 pstrcpy(p2, vuser && vuser->homedir ? vuser->homedir : ""); 3078 p2 = skip_string(p2,1); 3308 p2 = skip_string(*rdata,*rdata_len,p2); 3309 if (!p2) { 3310 return False; 3311 } 3079 3312 SIVAL(p,usri11_parms,PTR_DIFF(p2,p)); /* parms */ 3080 3313 pstrcpy(p2,""); 3081 p2 = skip_string(p2,1); 3314 p2 = skip_string(*rdata,*rdata_len,p2); 3315 if (!p2) { 3316 return False; 3317 } 3082 3318 SIVAL(p,usri11_last_logon,0); /* last logon */ 3083 3319 SIVAL(p,usri11_last_logoff,0); /* last logoff */ … … 3086 3322 SIVAL(p,usri11_logon_server,PTR_DIFF(p2,p)); /* logon server */ 3087 3323 pstrcpy(p2,"\\\\*"); 3088 p2 = skip_string(p2,1); 3324 p2 = skip_string(*rdata,*rdata_len,p2); 3325 if (!p2) { 3326 return False; 3327 } 3089 3328 SSVAL(p,usri11_country_code,0); /* country code */ 3090 3329 3091 3330 SIVAL(p,usri11_workstations,PTR_DIFF(p2,p)); /* workstations */ 3092 3331 pstrcpy(p2,""); 3093 p2 = skip_string(p2,1); 3332 p2 = skip_string(*rdata,*rdata_len,p2); 3333 if (!p2) { 3334 return False; 3335 } 3094 3336 3095 3337 SIVALS(p,usri11_max_storage,-1); /* max storage */ … … 3100 3342 memset(p2,0xff,21); 3101 3343 SCVAL(p2,21,0); /* fix zero termination */ 3102 p2 = skip_string(p2,1); 3344 p2 = skip_string(*rdata,*rdata_len,p2); 3345 if (!p2) { 3346 return False; 3347 } 3103 3348 3104 3349 SSVAL(p,usri11_code_page,0); /* code page */ … … 3112 3357 SIVAL(p,44,PTR_DIFF(p2,*rdata)); /* home dir */ 3113 3358 pstrcpy(p2, vuser && vuser->homedir ? vuser->homedir : ""); 3114 p2 = skip_string(p2,1); 3359 p2 = skip_string(*rdata,*rdata_len,p2); 3360 if (!p2) { 3361 return False; 3362 } 3115 3363 SIVAL(p,48,PTR_DIFF(p2,*rdata)); /* comment */ 3116 3364 *p2++ = 0; … … 3118 3366 SIVAL(p,54,PTR_DIFF(p2,*rdata)); /* script_path */ 3119 3367 pstrcpy(p2,vuser && vuser->logon_script ? vuser->logon_script : ""); 3120 p2 = skip_string(p2,1); 3368 p2 = skip_string(*rdata,*rdata_len,p2); 3369 if (!p2) { 3370 return False; 3371 } 3121 3372 if (uLevel == 2) { 3122 3373 SIVAL(p,60,0); /* auth_flags */ 3123 3374 SIVAL(p,64,PTR_DIFF(p2,*rdata)); /* full_name */ 3124 3375 pstrcpy(p2,((vuser != NULL) ? vuser->user.full_name : UserName)); 3125 p2 = skip_string(p2,1); 3376 p2 = skip_string(*rdata,*rdata_len,p2); 3377 if (!p2) { 3378 return False; 3379 } 3126 3380 SIVAL(p,68,0); /* urs_comment */ 3127 3381 SIVAL(p,72,PTR_DIFF(p2,*rdata)); /* parms */ 3128 3382 pstrcpy(p2,""); 3129 p2 = skip_string(p2,1); 3383 p2 = skip_string(*rdata,*rdata_len,p2); 3384 if (!p2) { 3385 return False; 3386 } 3130 3387 SIVAL(p,76,0); /* workstations */ 3131 3388 SIVAL(p,80,0); /* last_logon */ … … 3146 3403 pstrcpy(p2, tmp); 3147 3404 } 3148 p2 = skip_string(p2,1); 3405 p2 = skip_string(*rdata,*rdata_len,p2); 3406 if (!p2) { 3407 return False; 3408 } 3149 3409 SSVAL(p,110,49); /* country_code */ 3150 3410 SSVAL(p,112,860); /* code page */ … … 3159 3419 } 3160 3420 3161 static BOOL api_WWkstaUserLogon(connection_struct *conn,uint16 vuid, char *param,char *data, 3421 static BOOL api_WWkstaUserLogon(connection_struct *conn,uint16 vuid, 3422 char *param, int tpscnt, 3423 char *data, int tdscnt, 3162 3424 int mdrcnt,int mprcnt, 3163 3425 char **rdata,char **rparam, 3164 3426 int *rdata_len,int *rparam_len) 3165 3427 { 3166 char *str1 = param+2;3167 char *str2 = skip_string( str1,1);3168 char *p = skip_string( str2,1);3428 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3429 char *str2 = skip_string(param,tpscnt,str1); 3430 char *p = skip_string(param,tpscnt,str2); 3169 3431 int uLevel; 3170 3432 struct pack_desc desc; … … 3174 3436 user_struct *vuser = get_valid_user_struct(vuid); 3175 3437 3438 if (!str1 || !str2 || !p) { 3439 return False; 3440 } 3441 3176 3442 if(vuser != NULL) { 3177 3443 DEBUG(3,(" Username of UID %d is %s\n", (int)vuser->uid, … … 3179 3445 } 3180 3446 3181 uLevel = SVAL(p,0); 3182 name = p + 2; 3447 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3448 name = get_safe_str_ptr(param,tpscnt,p,2); 3449 if (!name) { 3450 return False; 3451 } 3183 3452 3184 3453 memset((char *)&desc,'\0',sizeof(desc)); … … 3253 3522 ****************************************************************************/ 3254 3523 3255 static BOOL api_WAccessGetUserPerms(connection_struct *conn,uint16 vuid, char *param,char *data, 3256 int mdrcnt,int mprcnt, 3257 char **rdata,char **rparam, 3258 int *rdata_len,int *rparam_len) 3259 { 3260 char *str1 = param+2; 3261 char *str2 = skip_string(str1,1); 3262 char *user = skip_string(str2,1); 3263 char *resource = skip_string(user,1); 3264 3524 static BOOL api_WAccessGetUserPerms(connection_struct *conn,uint16 vuid, 3525 char *param, int tpscnt, 3526 char *data, int tdscnt, 3527 int mdrcnt,int mprcnt, 3528 char **rdata,char **rparam, 3529 int *rdata_len,int *rparam_len) 3530 { 3531 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3532 char *str2 = skip_string(param,tpscnt,str1); 3533 char *user = skip_string(param,tpscnt,str2); 3534 char *resource = skip_string(param,tpscnt,user); 3535 3536 if (!str1 || !str2 || !user || !resource) { 3537 return False; 3538 } 3539 3540 if (skip_string(param,tpscnt,resource) == NULL) { 3541 return False; 3542 } 3265 3543 DEBUG(3,("WAccessGetUserPerms user=%s resource=%s\n",user,resource)); 3266 3544 … … 3289 3567 ****************************************************************************/ 3290 3568 3291 static BOOL api_WPrintJobGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 3292 int mdrcnt,int mprcnt, 3293 char **rdata,char **rparam, 3294 int *rdata_len,int *rparam_len) 3295 { 3296 char *str1 = param+2; 3297 char *str2 = skip_string(str1,1); 3298 char *p = skip_string(str2,1); 3569 static BOOL api_WPrintJobGetInfo(connection_struct *conn, uint16 vuid, 3570 char *param, int tpscnt, 3571 char *data, int tdscnt, 3572 int mdrcnt,int mprcnt, 3573 char **rdata,char **rparam, 3574 int *rdata_len,int *rparam_len) 3575 { 3576 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3577 char *str2 = skip_string(param,tpscnt,str1); 3578 char *p = skip_string(param,tpscnt,str2); 3299 3579 int uLevel; 3300 3580 int count; … … 3308 3588 char *tmpdata=NULL; 3309 3589 3310 uLevel = SVAL(p,2); 3590 if (!str1 || !str2 || !p) { 3591 return False; 3592 } 3593 3594 uLevel = get_safe_SVAL(param,tpscnt,p,2,-1); 3311 3595 3312 3596 memset((char *)&desc,'\0',sizeof(desc)); … … 3382 3666 } 3383 3667 3384 static BOOL api_WPrintJobEnumerate(connection_struct *conn,uint16 vuid, char *param,char *data, 3385 int mdrcnt,int mprcnt, 3386 char **rdata,char **rparam, 3387 int *rdata_len,int *rparam_len) 3388 { 3389 char *str1 = param+2; 3390 char *str2 = skip_string(str1,1); 3391 char *p = skip_string(str2,1); 3392 char* name = p; 3668 static BOOL api_WPrintJobEnumerate(connection_struct *conn, uint16 vuid, 3669 char *param, int tpscnt, 3670 char *data, int tdscnt, 3671 int mdrcnt,int mprcnt, 3672 char **rdata,char **rparam, 3673 int *rdata_len,int *rparam_len) 3674 { 3675 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3676 char *str2 = skip_string(param,tpscnt,str1); 3677 char *p = skip_string(param,tpscnt,str2); 3678 char *name = p; 3393 3679 int uLevel; 3394 3680 int count; … … 3399 3685 print_status_struct status; 3400 3686 3687 if (!str1 || !str2 || !p) { 3688 return False; 3689 } 3690 3401 3691 memset((char *)&desc,'\0',sizeof(desc)); 3402 3692 memset((char *)&status,'\0',sizeof(status)); 3403 3693 3404 p = skip_string(p,1); 3405 uLevel = SVAL(p,0); 3694 p = skip_string(param,tpscnt,p); 3695 if (!p) { 3696 return False; 3697 } 3698 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3406 3699 3407 3700 DEBUG(3,("WPrintJobEnumerate uLevel=%d name=%s\n",uLevel,name)); … … 3482 3775 break; 3483 3776 default: 3777 DEBUG(0,("check_printdest_info: invalid level %d\n", 3778 uLevel)); 3484 3779 return False; 3485 3780 } 3486 if (strcmp(desc->format,id) != 0) { 3781 if (id == NULL || strcmp(desc->format,id) != 0) { 3782 DEBUG(0,("check_printdest_info: invalid string %s\n", 3783 id ? id : "<NULL>" )); 3487 3784 return False; 3488 3785 } … … 3526 3823 } 3527 3824 3528 static BOOL api_WPrintDestGetInfo(connection_struct *conn,uint16 vuid, char *param,char *data, 3529 int mdrcnt,int mprcnt, 3530 char **rdata,char **rparam, 3531 int *rdata_len,int *rparam_len) 3532 { 3533 char *str1 = param+2; 3534 char *str2 = skip_string(str1,1); 3535 char *p = skip_string(str2,1); 3825 static BOOL api_WPrintDestGetInfo(connection_struct *conn, uint16 vuid, 3826 char *param, int tpscnt, 3827 char *data, int tdscnt, 3828 int mdrcnt,int mprcnt, 3829 char **rdata,char **rparam, 3830 int *rdata_len,int *rparam_len) 3831 { 3832 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3833 char *str2 = skip_string(param,tpscnt,str1); 3834 char *p = skip_string(param,tpscnt,str2); 3536 3835 char* PrinterName = p; 3537 3836 int uLevel; … … 3540 3839 char *tmpdata=NULL; 3541 3840 3841 if (!str1 || !str2 || !p) { 3842 return False; 3843 } 3844 3542 3845 memset((char *)&desc,'\0',sizeof(desc)); 3543 3846 3544 p = skip_string(p,1); 3545 uLevel = SVAL(p,0); 3847 p = skip_string(param,tpscnt,p); 3848 if (!p) { 3849 return False; 3850 } 3851 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3546 3852 3547 3853 DEBUG(3,("WPrintDestGetInfo uLevel=%d PrinterName=%s\n",uLevel,PrinterName)); … … 3597 3903 } 3598 3904 3599 static BOOL api_WPrintDestEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 3600 int mdrcnt,int mprcnt, 3601 char **rdata,char **rparam, 3602 int *rdata_len,int *rparam_len) 3603 { 3604 char *str1 = param+2; 3605 char *str2 = skip_string(str1,1); 3606 char *p = skip_string(str2,1); 3905 static BOOL api_WPrintDestEnum(connection_struct *conn, uint16 vuid, 3906 char *param, int tpscnt, 3907 char *data, int tdscnt, 3908 int mdrcnt,int mprcnt, 3909 char **rdata,char **rparam, 3910 int *rdata_len,int *rparam_len) 3911 { 3912 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3913 char *str2 = skip_string(param,tpscnt,str1); 3914 char *p = skip_string(param,tpscnt,str2); 3607 3915 int uLevel; 3608 3916 int queuecnt; … … 3611 3919 int services = lp_numservices(); 3612 3920 3921 if (!str1 || !str2 || !p) { 3922 return False; 3923 } 3924 3613 3925 memset((char *)&desc,'\0',sizeof(desc)); 3614 3926 3615 uLevel = SVAL(p,0);3927 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3616 3928 3617 3929 DEBUG(3,("WPrintDestEnum uLevel=%d\n",uLevel)); … … 3672 3984 } 3673 3985 3674 static BOOL api_WPrintDriverEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 3675 int mdrcnt,int mprcnt, 3676 char **rdata,char **rparam, 3677 int *rdata_len,int *rparam_len) 3678 { 3679 char *str1 = param+2; 3680 char *str2 = skip_string(str1,1); 3681 char *p = skip_string(str2,1); 3986 static BOOL api_WPrintDriverEnum(connection_struct *conn, uint16 vuid, 3987 char *param, int tpscnt, 3988 char *data, int tdscnt, 3989 int mdrcnt,int mprcnt, 3990 char **rdata,char **rparam, 3991 int *rdata_len,int *rparam_len) 3992 { 3993 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 3994 char *str2 = skip_string(param,tpscnt,str1); 3995 char *p = skip_string(param,tpscnt,str2); 3682 3996 int uLevel; 3683 3997 int succnt; 3684 3998 struct pack_desc desc; 3685 3999 4000 if (!str1 || !str2 || !p) { 4001 return False; 4002 } 4003 3686 4004 memset((char *)&desc,'\0',sizeof(desc)); 3687 4005 3688 uLevel = SVAL(p,0);4006 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3689 4007 3690 4008 DEBUG(3,("WPrintDriverEnum uLevel=%d\n",uLevel)); … … 3729 4047 } 3730 4048 3731 static BOOL api_WPrintQProcEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 4049 static BOOL api_WPrintQProcEnum(connection_struct *conn, uint16 vuid, 4050 char *param, int tpscnt, 4051 char *data, int tdscnt, 3732 4052 int mdrcnt,int mprcnt, 3733 4053 char **rdata,char **rparam, 3734 4054 int *rdata_len,int *rparam_len) 3735 4055 { 3736 char *str1 = param+2;3737 char *str2 = skip_string( str1,1);3738 char *p = skip_string( str2,1);4056 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 4057 char *str2 = skip_string(param,tpscnt,str1); 4058 char *p = skip_string(param,tpscnt,str2); 3739 4059 int uLevel; 3740 4060 int succnt; 3741 4061 struct pack_desc desc; 3742 4062 4063 if (!str1 || !str2 || !p) { 4064 return False; 4065 } 3743 4066 memset((char *)&desc,'\0',sizeof(desc)); 3744 4067 3745 uLevel = SVAL(p,0);4068 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3746 4069 3747 4070 DEBUG(3,("WPrintQProcEnum uLevel=%d\n",uLevel)); … … 3787 4110 } 3788 4111 3789 static BOOL api_WPrintPortEnum(connection_struct *conn,uint16 vuid, char *param,char *data, 3790 int mdrcnt,int mprcnt, 3791 char **rdata,char **rparam, 3792 int *rdata_len,int *rparam_len) 3793 { 3794 char *str1 = param+2; 3795 char *str2 = skip_string(str1,1); 3796 char *p = skip_string(str2,1); 4112 static BOOL api_WPrintPortEnum(connection_struct *conn, uint16 vuid, 4113 char *param, int tpscnt, 4114 char *data, int tdscnt, 4115 int mdrcnt,int mprcnt, 4116 char **rdata,char **rparam, 4117 int *rdata_len,int *rparam_len) 4118 { 4119 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 4120 char *str2 = skip_string(param,tpscnt,str1); 4121 char *p = skip_string(param,tpscnt,str2); 3797 4122 int uLevel; 3798 4123 int succnt; 3799 4124 struct pack_desc desc; 3800 4125 4126 if (!str1 || !str2 || !p) { 4127 return False; 4128 } 4129 3801 4130 memset((char *)&desc,'\0',sizeof(desc)); 3802 4131 3803 uLevel = SVAL(p,0);4132 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3804 4133 3805 4134 DEBUG(3,("WPrintPortEnum uLevel=%d\n",uLevel)); … … 3846 4175 } 3847 4176 3848 3849 4177 /**************************************************************************** 3850 4178 List open sessions 3851 4179 ****************************************************************************/ 3852 static BOOL api_RNetSessionEnum(connection_struct *conn,uint16 vuid, char *param, char *data, 3853 int mdrcnt,int mprcnt, 3854 char **rdata,char **rparam, 3855 int *rdata_len,int *rparam_len) 3856 3857 { 3858 char *str1 = param+2; 3859 char *str2 = skip_string(str1,1); 3860 char *p = skip_string(str2,1); 4180 4181 static BOOL api_RNetSessionEnum(connection_struct *conn, uint16 vuid, 4182 char *param, int tpscnt, 4183 char *data, int tdscnt, 4184 int mdrcnt,int mprcnt, 4185 char **rdata,char **rparam, 4186 int *rdata_len,int *rparam_len) 4187 4188 { 4189 char *str1 = get_safe_str_ptr(param,tpscnt,param,2); 4190 char *str2 = skip_string(param,tpscnt,str1); 4191 char *p = skip_string(param,tpscnt,str2); 3861 4192 int uLevel; 3862 4193 struct pack_desc desc; … … 3864 4195 int i, num_sessions; 3865 4196 4197 if (!str1 || !str2 || !p) { 4198 return False; 4199 } 4200 3866 4201 memset((char *)&desc,'\0',sizeof(desc)); 3867 4202 3868 uLevel = SVAL(p,0);4203 uLevel = get_safe_SVAL(param,tpscnt,p,0,-1); 3869 4204 3870 4205 DEBUG(3,("RNetSessionEnum uLevel=%d\n",uLevel)); … … 3953 4288 ****************************************************************************/ 3954 4289 3955 static BOOL api_Unsupported(connection_struct *conn, uint16 vuid, char *param, char *data, 3956 int mdrcnt, int mprcnt, 3957 char **rdata, char **rparam, 3958 int *rdata_len, int *rparam_len) 4290 static BOOL api_Unsupported(connection_struct *conn, uint16 vuid, 4291 char *param, int tpscnt, 4292 char *data, int tdscnt, 4293 int mdrcnt, int mprcnt, 4294 char **rdata, char **rparam, 4295 int *rdata_len, int *rparam_len) 3959 4296 { 3960 4297 *rparam_len = 4; … … 3977 4314 const char *name; 3978 4315 int id; 3979 BOOL (*fn)(connection_struct *,uint16,char *,char *, 4316 BOOL (*fn)(connection_struct *, uint16, 4317 char *, int, 4318 char *, int, 3980 4319 int,int,char **,char **,int *,int *); 3981 4320 BOOL auth_user; /* Deny anonymous access? */ … … 4032 4371 char *rdata = NULL; 4033 4372 char *rparam = NULL; 4373 const char *name1 = NULL; 4374 const char *name2 = NULL; 4034 4375 int rdata_len = 0; 4035 4376 int rparam_len = 0; … … 4042 4383 } 4043 4384 4385 if (tpscnt < 2) { 4386 return 0; 4387 } 4044 4388 api_command = SVAL(params,0); 4389 /* Is there a string at position params+2 ? */ 4390 if (skip_string(params,tpscnt,params+2)) { 4391 name1 = params + 2; 4392 } else { 4393 name1 = ""; 4394 } 4395 name2 = skip_string(params,tpscnt,params+2); 4396 if (!name2) { 4397 name2 = ""; 4398 } 4045 4399 4046 4400 DEBUG(3,("Got API command %d of form <%s> <%s> (tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n", 4047 4401 api_command, 4048 params+2,4049 skip_string(params+2,1),4402 name1, 4403 name2, 4050 4404 tdscnt,tpscnt,mdrcnt,mprcnt)); 4051 4405 … … 4084 4438 } 4085 4439 4086 reply = api_commands[i].fn(conn,vuid,params,data,mdrcnt,mprcnt, 4440 reply = api_commands[i].fn(conn, 4441 vuid, 4442 params,tpscnt, /* params + length */ 4443 data,tdscnt, /* data + length */ 4444 mdrcnt,mprcnt, 4087 4445 &rdata,&rparam,&rdata_len,&rparam_len); 4088 4446 … … 4095 4453 /* if we get False back then it's actually unsupported */ 4096 4454 if (!reply) { 4097 reply = api_Unsupported(conn,vuid,params, data,mdrcnt,mprcnt,4455 reply = api_Unsupported(conn,vuid,params,tpscnt,data,tdscnt,mdrcnt,mprcnt, 4098 4456 &rdata,&rparam,&rdata_len,&rparam_len); 4099 4457 }
Note: See TracChangeset
for help on using the changeset viewer.