Emanuel Moura dos Santos
2007-Jun-06 21:56 UTC
[Samba] string overflow in rpcclient add "printer" driver command
Hello,
I get the folowing error msg in rpcclient -c 'adddriver' command:
ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy [adddriver
"Windows NT x86" "My Driver Name 001:aaa]
Printer Driver My Driver Name 001 successfully installed.
My command is like this:
rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c 'adddriver
"Windows NT x86" "My Driver Name 001:
aaaaaa.001:aaaaaa.002:aaaaaa.003:aaaaaa.004::NULL:aaaaaa.001,
..... bla bla bla ... bbbbbbb.022, ... bla bla bla ...
aaaaaaa.077,ccccccc.078"'
My system is RHEL 5, Samba version is 3.0.23c-2.el5.2.0.2.x86_64. The same error
I found in Fedora 6 Samba
3.0.24-5. I try with 3.0.25a, but I get same error too.
The error, I think, is in source/rpcclient/rpcclient.c next_command function in
pstrcpy() call.
I tried to fix changing the line definition in source/include/pstring.h for:
#define PSTRING_LEN 2048 /* was 1024 */
but I get compiler errors like:
nmbd/nmbd_incomingdgrams.o: In function `process_get_backup_list_request':
nmbd_incomingdgrams.c:(.text+0x7db): undefined reference to
`__unsafe_string_function_usage_here_size_t__'
The registry in ntdrivers.tdb is not complete too:
# tdbdump /var/cache/samba/ntdrivers.tdb | grep "My Driver Name"
key(36) = "DRIVERS/W32X86/3/My Driver Name 001\00"
data(406) = "\03\00\00\00My Driver Name 001\00Windows NT
x86\00\5Cprint$\5CW32X86\5C3\5Caaaaaa.001\00
... bbbbbbb.02\00"
I found four printer drivers with many files components (and long "-c"
command strings):
HP LaserJet 2420 PS (1027 bytes in -c)
Canon S200 (1544 bytes in -c)
Canon iP1200 (1782 bytes in -c)
Canon PIXMA iP1000 (2014 bytes in -c)
Any ideas?
Jeremy Allison
2007-Jun-07 00:34 UTC
[Samba] string overflow in rpcclient add "printer" driver command
On Wed, Jun 06, 2007 at 06:36:28PM -0300, Emanuel Moura dos Santos wrote:> Hello, > > I get the folowing error msg in rpcclient -c 'adddriver' command: > > ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy [adddriver "Windows NT x86" "My Driver Name 001:aaa] > Printer Driver My Driver Name 001 successfully installed. > > My command is like this: > > rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c 'adddriver "Windows NT x86" "My Driver Name 001: > aaaaaa.001:aaaaaa.002:aaaaaa.003:aaaaaa.004::NULL:aaaaaa.001, > ..... bla bla bla ... bbbbbbb.022, ... bla bla bla ... > aaaaaaa.077,ccccccc.078"' > > My system is RHEL 5, Samba version is 3.0.23c-2.el5.2.0.2.x86_64. The same error I found in Fedora 6 Samba > 3.0.24-5. I try with 3.0.25a, but I get same error too. > > The error, I think, is in source/rpcclient/rpcclient.c next_command function in pstrcpy() call.Good catch. Can you try this patch instead ? Let me know if it works and I'll check it in. Thanks, Jeremy. -------------- next part -------------- Index: rpcclient/rpcclient.c ==================================================================--- rpcclient/rpcclient.c (revision 23369) +++ rpcclient/rpcclient.c (working copy) @@ -107,9 +107,9 @@ return matches; } -static char* next_command (char** cmdstr) +static char *next_command (char **cmdstr) { - static pstring command; + char *command; char *p; if (!cmdstr || !(*cmdstr)) @@ -118,7 +118,7 @@ p = strchr_m(*cmdstr, ';'); if (p) *p = '\0'; - pstrcpy(command, *cmdstr); + command = SMB_STRDUP(*cmdstr); if (p) *cmdstr = p + 1; else @@ -828,6 +828,7 @@ while((cmd=next_command(&p)) != NULL) { NTSTATUS cmd_result = process_cmd(cli, cmd); + SAFE_FREE(cmd); result = NT_STATUS_IS_ERR(cmd_result); }
Emanuel Moura dos Santos
2007-Jun-08 20:31 UTC
[Samba] string overflow in rpcclient add "printer" driver command
---------- Cabe?alho original ----------- De: "Jeremy Allison" jra@samba.org Para: "Emanuel Moura dos Santos" emanuelsan@terra.com.br C?pia: samba@lists.samba.org Data: Wed, 6 Jun 2007 17:33:19 -0700 Assunto: Re: [Samba] string overflow in rpcclient add "printer" driver command> On Wed, Jun 06, 2007 at 06:36:28PM -0300, Emanuel Moura dos Santos wrote:> > I get the folowing error msg in rpcclient -c 'adddriver' command: > > > > ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy [adddriver "Windows NT x86" "My Driver Name 001:aaa]> > My command is like this: > > > > rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c 'adddriver "Windows NT x86" "My Driver Name 001: > > aaaaaa.001:aaaaaa.002:aaaaaa.003:aaaaaa.004::NULL:aaaaaa.001, > > ..... bla bla bla ... bbbbbbb.022, ... bla bla bla ... > > aaaaaaa.077,ccccccc.078"'> Good catch. Can you try this patch instead ? Let me know if it works and > I'll check it in.Thanks. The your patch is Ok. But, second part of my initial report stay loosing files. The ntdrivers.tdb file cut my file list.
Emanuel Moura dos Santos
2007-Jun-12 19:38 UTC
[Samba] string overflow in rpcclient add "printer" driver command
Ok, I make mistake, the tbdump command return correct drivers files now.
But other input formats for rpcclient still in error:
rpcclient ... -c 'adddriver "arch"
"verylongstring"'
OK Printer Driver MyDriver001 successfully installed.
echo 'adddriver "arch" "verylongstring"' |
rpcclient ...
result was WERR_UNKNOWN_PRINTER_DRIVER
rpcclient ... << --EOC
adddriver "arch" "verylongstring"
--EOC
result was WERR_UNKNOWN_PRINTER_DRIVER
echo 'adddriver "arch"
"truncated_verylongstring"' | rpcclient ...
Printer Driver MyDriver001 successfully installed.
rpcclient ... << --EOC
adddriver "arch" "truncated_verylongstring"
--EOC
Printer Driver MyDriver001 successfully installed.
---------- Cabe?alho original -----------> De: "Jeremy Allison" jra@samba.org
> Para: "Emanuel Moura dos Santos" emanuelsan@terra.com.br
> C?pia: samba@lists.samba.org
> Data: Wed, 6 Jun 2007 17:33:19 -0700
> Assunto: Re: [Samba] string overflow in rpcclient add "printer"
driver command
>
> > On Wed, Jun 06, 2007 at 06:36:28PM -0300, Emanuel Moura dos Santos
wrote:
>
> > > I get the folowing error msg in rpcclient -c 'adddriver'
command:
> > >
> > > ERROR: string overflow by 1 (1024 - 1023) in safe_strcpy
[adddriver "Windows NT x86" "My Driver Name 001:aaa]
>
> > > My command is like this:
> > >
> > > rpcclient MYSRV -s /etc/samba/smb.conf -A auth.txt -c
'adddriver "Windows NT x86" "My Driver Name 001:
> > >
aaaaaa.001:aaaaaa.002:aaaaaa.003:aaaaaa.004::NULL:aaaaaa.001,
> > > ..... bla bla bla ... bbbbbbb.022, ... bla bla bla ...
> > > aaaaaaa.077,ccccccc.078"'
> Thanks. The your patch is Ok. But, second part of my initial report stay
loosing files. The ntdrivers.tdb file
> cut my file list.