From 9a118cd4a2b03146b341eeffb62144a2d29b574c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 6 Apr 2000 22:48:53 +0000 Subject: [PATCH] Modified interfaces and added checks around *all* *alloc calls so that errors are returned on memory allocation failure. Jeremy. --- source/include/proto.h | 4 +- source/printing/nt_printing.c | 50 ++++---- source/rpc_parse/parse_spoolss.c | 26 ++-- source/rpc_server/srv_spoolss.c | 39 ++++-- source/rpc_server/srv_spoolss_nt.c | 195 ++++++++++++++++++++++------- 5 files changed, 215 insertions(+), 99 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index c74d775329f..9552dc3d1d6 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -1519,7 +1519,7 @@ BOOL trust_get_passwd( unsigned char trust_passwd[16], char *domain, char *mynam int get_ntforms(nt_forms_struct **list); int write_ntforms(nt_forms_struct **list, int number); -void add_a_form(nt_forms_struct **list, const FORM *form, int *count); +BOOL add_a_form(nt_forms_struct **list, const FORM *form, int *count); void update_a_form(nt_forms_struct **list, const FORM *form, int count); int get_ntdrivers(fstring **list, char *architecture); void get_short_archi(char *short_archi, char *long_archi); @@ -2369,7 +2369,7 @@ BOOL new_smb_io_job_info_1(char *desc, NEW_BUFFER *buffer, JOB_INFO_1 *info, int BOOL new_smb_io_job_info_2(char *desc, NEW_BUFFER *buffer, JOB_INFO_2 *info, int depth); BOOL new_smb_io_form_1(char *desc, NEW_BUFFER *buffer, FORM_1 *info, int depth); void new_spoolss_move_buffer(NEW_BUFFER *src, NEW_BUFFER **dest); -void new_spoolss_allocate_buffer(NEW_BUFFER **buffer); +BOOL new_spoolss_allocate_buffer(NEW_BUFFER **buffer); void new_spoolss_free_buffer(NEW_BUFFER *buffer); uint32 new_get_buffer_size(NEW_BUFFER *buffer); BOOL new_smb_io_driverdir_1(char *desc, NEW_BUFFER *buffer, DRIVER_DIRECTORY_1 *info, int depth); diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c index 641ec4e3f62..39a44bdcf2d 100644 --- a/source/printing/nt_printing.c +++ b/source/printing/nt_printing.c @@ -148,7 +148,7 @@ int write_ntforms(nt_forms_struct **list, int number) /**************************************************************************** add a form struct at the end of the list ****************************************************************************/ -void add_a_form(nt_forms_struct **list, const FORM *form, int *count) +BOOL add_a_form(nt_forms_struct **list, const FORM *form, int *count) { int n=0; BOOL update; @@ -174,7 +174,8 @@ void add_a_form(nt_forms_struct **list, const FORM *form, int *count) if (update==False) { - *list=Realloc(*list, (n+1)*sizeof(nt_forms_struct)); + if((*list=Realloc(*list, (n+1)*sizeof(nt_forms_struct))) == NULL) + return False; unistr2_to_ascii((*list)[n].name, &(form->name), sizeof((*list)[n].name)-1); (*count)++; } @@ -186,6 +187,8 @@ void add_a_form(nt_forms_struct **list, const FORM *form, int *count) (*list)[n].top=form->top; (*list)[n].right=form->right; (*list)[n].bottom=form->bottom; + + return True; } /**************************************************************************** @@ -254,7 +257,10 @@ int get_ntdrivers(fstring **list, char *architecture) fstrcpy(driver_name, dpname+match_len); all_string_sub(driver_name, "#", "/", 0); - *list = Realloc(*list, sizeof(fstring)*(total+1)); + + if((*list = Realloc(*list, sizeof(fstring)*(total+1))) == NULL) + return -1; + StrnCpy((*list)[total], driver_name, strlen(driver_name)); DEBUGADD(106,("Added: [%s]\n", driver_name)); total++; @@ -832,6 +838,8 @@ static void free_nt_printer_param(NT_PRINTER_PARAM **param_ptr) if(param == NULL) return; + DEBUG(106,("free_nt_printer_param: deleting param [%s]\n", param->value)); + if(param->data) free(param->data); @@ -850,6 +858,8 @@ static void free_nt_devicemode(NT_DEVICEMODE **devmode_ptr) if(nt_devmode == NULL) return; + DEBUG(106,("free_nt_devicemode: deleting DEVMODE\n")); + if(nt_devmode->private) free(nt_devmode->private); @@ -869,6 +879,8 @@ static void free_nt_printer_info_level_2(NT_PRINTER_INFO_LEVEL_2 **info_ptr) if(info == NULL) return; + DEBUG(106,("free_nt_printer_info_level_2: deleting info\n")); + free_nt_devicemode(&info->devmode); for(param_ptr = info->specific; param_ptr; ) { @@ -1223,6 +1235,8 @@ uint32 get_a_printer(NT_PRINTER_INFO_LEVEL *printer, uint32 level, fstring share { uint32 success; + DEBUG(10,("get_a_printer: [%s] level %u\n", sharename, (unsigned int)level)); + switch (level) { case 2: @@ -1237,6 +1251,9 @@ uint32 get_a_printer(NT_PRINTER_INFO_LEVEL *printer, uint32 level, fstring share } dump_a_printer(*printer, level); + + DEBUG(10,("get_a_printer: [%s] level %u returning %u\n", sharename, (unsigned int)level, (unsigned int)success)); + return (success); } @@ -1253,32 +1270,7 @@ uint32 free_a_printer(NT_PRINTER_INFO_LEVEL printer, uint32 level) { if (printer.info_2 != NULL) { - if ((printer.info_2)->devmode != NULL) - { - DEBUG(106,("deleting DEVMODE\n")); - if ((printer.info_2)->devmode->private !=NULL ) - free((printer.info_2)->devmode->private); - free((printer.info_2)->devmode); - } - - if ((printer.info_2)->specific != NULL) - { - NT_PRINTER_PARAM *param; - NT_PRINTER_PARAM *next_param; - - param=(printer.info_2)->specific; - - while ( param != NULL) - { - next_param=param->next; - DEBUG(106,("deleting param [%s]\n", param->value)); - free(param->data); - free(param); - param=next_param; - } - } - - free(printer.info_2); + free_nt_printer_info_level_2(&printer.info_2); success=0; } else diff --git a/source/rpc_parse/parse_spoolss.c b/source/rpc_parse/parse_spoolss.c index fd053dbf452..6c62b662779 100644 --- a/source/rpc_parse/parse_spoolss.c +++ b/source/rpc_parse/parse_spoolss.c @@ -264,7 +264,8 @@ static BOOL smb_io_notify_option_type_ctr(char *desc, SPOOL_NOTIFY_OPTION_TYPE_C /* reading */ if (UNMARSHALLING(ps)) - ctr->type=(SPOOL_NOTIFY_OPTION_TYPE *)malloc(ctr->count*sizeof(SPOOL_NOTIFY_OPTION_TYPE)); + if((ctr->type=(SPOOL_NOTIFY_OPTION_TYPE *)malloc(ctr->count*sizeof(SPOOL_NOTIFY_OPTION_TYPE))) == NULL) + return False; /* the option type struct */ for(i=0;icount;i++) @@ -1133,7 +1134,8 @@ BOOL spoolss_io_q_rffpcnex(char *desc, SPOOL_Q_RFFPCNEX *q_u, prs_struct *ps, in if (q_u->option_ptr!=0) { if (UNMARSHALLING(ps)) - q_u->option=(SPOOL_NOTIFY_OPTION *)malloc(sizeof(SPOOL_NOTIFY_OPTION)); + if((q_u->option=(SPOOL_NOTIFY_OPTION *)malloc(sizeof(SPOOL_NOTIFY_OPTION))) == NULL) + return False; if(!smb_io_notify_option("notify option", q_u->option, ps, depth)) return False; @@ -1181,7 +1183,8 @@ BOOL spoolss_io_q_rfnpcnex(char *desc, SPOOL_Q_RFNPCNEX *q_u, prs_struct *ps, in if (q_u->option_ptr!=0) { if (UNMARSHALLING(ps)) - q_u->option=(SPOOL_NOTIFY_OPTION *)malloc(sizeof(SPOOL_NOTIFY_OPTION)); + if((q_u->option=(SPOOL_NOTIFY_OPTION *)malloc(sizeof(SPOOL_NOTIFY_OPTION))) == NULL) + return False; if(!smb_io_notify_option("notify option", q_u->option, ps, depth)) return False; @@ -1421,7 +1424,8 @@ static BOOL new_smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, ui return False; l_chaine=str_len_uni(&chaine); - chaine2=(uint16 *)Realloc(chaine2, (l_chaine2+l_chaine+1)*sizeof(uint16)); + if((chaine2=(uint16 *)Realloc(chaine2, (l_chaine2+l_chaine+1)*sizeof(uint16))) == NULL) + return False; memcpy(chaine2+l_chaine2, chaine.buffer, (l_chaine+1)*sizeof(uint16)); l_chaine2+=l_chaine+1; @@ -1475,7 +1479,8 @@ static BOOL new_smb_io_reldevmode(char *desc, NEW_BUFFER *buffer, int depth, DEV prs_set_offset(ps, buffer->string_at_end + buffer->struct_start); /* read the string */ - *devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE)); + if((*devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE))) == NULL) + return False; if (!spoolss_io_devmode(desc, ps, depth, *devmode)) return False; @@ -1976,16 +1981,21 @@ void new_spoolss_move_buffer(NEW_BUFFER *src, NEW_BUFFER **dest) /******************************************************************* create a BUFFER struct. ********************************************************************/ -void new_spoolss_allocate_buffer(NEW_BUFFER **buffer) +BOOL new_spoolss_allocate_buffer(NEW_BUFFER **buffer) { if (buffer==NULL) - return; + return False; - *buffer=(NEW_BUFFER *)malloc(sizeof(NEW_BUFFER)); + if((*buffer=(NEW_BUFFER *)malloc(sizeof(NEW_BUFFER))) == NULL) { + DEBUG(0,("new_spoolss_allocate_buffer: malloc fail for size %u.\n", + (unsigned int)sizeof(NEW_BUFFER) )); + return False; + } (*buffer)->ptr=0x0; (*buffer)->size=0; (*buffer)->string_at_end=0; + return True; } /******************************************************************* diff --git a/source/rpc_server/srv_spoolss.c b/source/rpc_server/srv_spoolss.c index f23422d87a6..8ae75eec6cc 100755 --- a/source/rpc_server/srv_spoolss.c +++ b/source/rpc_server/srv_spoolss.c @@ -199,7 +199,8 @@ static BOOL api_spoolss_enumprinters(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if (!spoolss_io_q_enumprinters("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumprinters: unable to unmarshall SPOOL_Q_ENUMPRINTERS.\n")); @@ -237,7 +238,8 @@ static BOOL api_spoolss_getprinter(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_getprinter("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_getprinter: unable to unmarshall SPOOL_Q_GETPRINTER.\n")); @@ -275,7 +277,8 @@ static BOOL api_spoolss_getprinterdriver2(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_getprinterdriver2("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_getprinterdriver2: unable to unmarshall SPOOL_Q_GETPRINTERDRIVER2.\n")); @@ -512,7 +515,8 @@ static BOOL api_spoolss_addjob(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_addjob("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_addjob: unable to unmarshall SPOOL_Q_ADDJOB.\n")); @@ -546,7 +550,8 @@ static BOOL api_spoolss_enumjobs(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if (!spoolss_io_q_enumjobs("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumjobs: unable to unmarshall SPOOL_Q_ENUMJOBS.\n")); @@ -634,7 +639,8 @@ static BOOL api_spoolss_enumprinterdrivers(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if (!spoolss_io_q_enumprinterdrivers("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumprinterdrivers: unable to unmarshall SPOOL_Q_ENUMPRINTERDRIVERS.\n")); @@ -670,7 +676,8 @@ static BOOL api_spoolss_enumforms(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if (!spoolss_io_q_enumforms("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumforms: unable to unmarshall SPOOL_Q_ENUMFORMS.\n")); @@ -706,7 +713,8 @@ static BOOL api_spoolss_enumports(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_enumports("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumports: unable to unmarshall SPOOL_Q_ENUMPORTS.\n")); @@ -807,7 +815,8 @@ static BOOL api_spoolss_getprinterdriverdirectory(prs_struct *data, prs_struct * ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_getprinterdriverdir("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_getprinterdriverdir: unable to unmarshall SPOOL_Q_GETPRINTERDRIVERDIR.\n")); @@ -952,7 +961,8 @@ static BOOL api_spoolss_enumprintprocessors(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_enumprintprocessors("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumprintprocessors: unable to unmarshall SPOOL_Q_ENUMPRINTPROCESSORS.\n")); @@ -987,7 +997,8 @@ static BOOL api_spoolss_enumprintprocdatatypes(prs_struct *data, prs_struct *rda ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_enumprintprocdatatypes("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumprintprocdatatypes: unable to unmarshall SPOOL_Q_ENUMPRINTPROCDATATYPES.\n")); @@ -1022,7 +1033,8 @@ static BOOL api_spoolss_enumprintmonitors(prs_struct *data, prs_struct *rdata) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if (!spoolss_io_q_enumprintmonitors("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_enumprintmonitors: unable to unmarshall SPOOL_Q_ENUMPRINTMONITORS.\n")); @@ -1054,7 +1066,8 @@ static BOOL api_spoolss_getjob(prs_struct *data, prs_struct *rdata) SPOOL_Q_GETJOB q_u; SPOOL_R_GETJOB r_u; - new_spoolss_allocate_buffer(&q_u.buffer); + if(!new_spoolss_allocate_buffer(&q_u.buffer)) + return False; if(!spoolss_io_q_getjob("", &q_u, data, 0)) { DEBUG(0,("spoolss_io_q_getjob: unable to unmarshall SPOOL_Q_GETJOB.\n")); diff --git a/source/rpc_server/srv_spoolss_nt.c b/source/rpc_server/srv_spoolss_nt.c index b7533c7873d..1d33b1b8bb3 100644 --- a/source/rpc_server/srv_spoolss_nt.c +++ b/source/rpc_server/srv_spoolss_nt.c @@ -227,7 +227,9 @@ static BOOL open_printer_hnd(POLICY_HND *hnd) { Printer_entry *new_printer; - new_printer=(Printer_entry *)malloc(sizeof(Printer_entry)); + if((new_printer=(Printer_entry *)malloc(sizeof(Printer_entry))) == NULL) + return False; + ZERO_STRUCTP(new_printer); new_printer->open = True; @@ -343,6 +345,9 @@ static BOOL set_printer_hnd_printername(POLICY_HND *hnd, char *printername) if (get_a_printer(&printer, 2, lp_servicename(snum))!=0) continue; + DEBUG(10,("set_printer_hnd_printername: printername [%s], aprinter [%s]\n", + printer.info_2->printername, aprinter )); + if ( strlen(printer.info_2->printername) != strlen(aprinter) ) { free_a_printer(printer, 2); continue; @@ -551,7 +556,8 @@ static BOOL convert_devicemode(DEVICEMODE devmode, NT_DEVICEMODE *nt_devmode) /* if we had a previous private delete it and make a new one */ if (nt_devmode->private != NULL) free(nt_devmode->private); - nt_devmode->private=(uint8 *)malloc(nt_devmode->driverextra * sizeof(uint8)); + if((nt_devmode->private=(uint8 *)malloc(nt_devmode->driverextra * sizeof(uint8))) == NULL) + return False; memcpy(nt_devmode->private, devmode.private, nt_devmode->driverextra); } @@ -581,7 +587,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d if (!strcmp(value, "BeepEnabled")) { *type = 0x4; - *data = (uint8 *)malloc( 4*sizeof(uint8) ); + if((*data = (uint8 *)malloc( 4*sizeof(uint8) )) == NULL) + return False; SIVAL(*data, 0, 0x01); *needed = 0x4; return True; @@ -590,7 +597,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d if (!strcmp(value, "EventLog")) { *type = 0x4; - *data = (uint8 *)malloc( 4*sizeof(uint8) ); + if((*data = (uint8 *)malloc( 4*sizeof(uint8) )) == NULL) + return False; SIVAL(*data, 0, 0x1B); *needed = 0x4; return True; @@ -599,7 +607,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d if (!strcmp(value, "NetPopup")) { *type = 0x4; - *data = (uint8 *)malloc( 4*sizeof(uint8) ); + if((*data = (uint8 *)malloc( 4*sizeof(uint8) )) == NULL) + return False; SIVAL(*data, 0, 0x01); *needed = 0x4; return True; @@ -608,7 +617,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d if (!strcmp(value, "MajorVersion")) { *type = 0x4; - *data = (uint8 *)malloc( 4*sizeof(uint8) ); + if((*data = (uint8 *)malloc( 4*sizeof(uint8) )) == NULL) + return False; SIVAL(*data, 0, 0x02); *needed = 0x4; return True; @@ -619,7 +629,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d pstring string="You are using a Samba server"; *type = 0x1; *needed = 2*(strlen(string)+1); - *data = (uint8 *)malloc( ((*needed > in_size) ? *needed:in_size) *sizeof(uint8)); + if((*data = (uint8 *)malloc( ((*needed > in_size) ? *needed:in_size) *sizeof(uint8))) == NULL) + return False; memset(*data, 0, (*needed > in_size) ? *needed:in_size); /* it's done by hand ready to go on the wire */ @@ -636,7 +647,8 @@ static BOOL getprinterdata_printer_server(fstring value, uint32 *type, uint8 **d pstring string="Windows NT x86"; *type = 0x1; *needed = 2*(strlen(string)+1); - *data = (uint8 *)malloc( ((*needed > in_size) ? *needed:in_size) *sizeof(uint8)); + if((*data = (uint8 *)malloc( ((*needed > in_size) ? *needed:in_size) *sizeof(uint8))) == NULL) + return False; memset(*data, 0, (*needed > in_size) ? *needed:in_size); for (i=0; iin_size)?in_size:len *sizeof(uint8)); @@ -722,7 +741,8 @@ uint32 _spoolss_getprinterdata(const POLICY_HND *handle, UNISTR2 *valuename, DEBUG(4,("_spoolss_getprinterdata\n")); if (!OPEN_HANDLE(Printer)) { - *data=(uint8 *)malloc(4*sizeof(uint8)); + if((*data=(uint8 *)malloc(4*sizeof(uint8))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; return ERROR_INVALID_HANDLE; } @@ -736,7 +756,8 @@ uint32 _spoolss_getprinterdata(const POLICY_HND *handle, UNISTR2 *valuename, if (found==False) { DEBUG(5, ("value not found, allocating %d\n", *out_size)); /* reply this param doesn't exist */ - *data=(uint8 *)malloc(*out_size*sizeof(uint8)); + if((*data=(uint8 *)malloc(*out_size*sizeof(uint8))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; memset(*data, 0x0, *out_size*sizeof(uint8)); return ERROR_INVALID_PARAMETER; } @@ -1250,7 +1271,10 @@ static BOOL construct_notify_printer_info(SPOOL_NOTIFY_INFO *info, int snum, SPO if (!search_notify(type, field, &j) ) continue; - info->data=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA)); + if((info->data=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + free_a_printer(printer, 2); + return False; + } current_data=&(info->data[info->count]); construct_info_data(current_data, type, field, id); @@ -1297,7 +1321,11 @@ static BOOL construct_notify_jobs_info(print_queue_struct *queue, SPOOL_NOTIFY_I if (!search_notify(type, field, &j) ) continue; - info->data=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA)); + if((info->data=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) { + free_a_printer(printer, 2); + return False; + } + current_data=&(info->data[info->count]); construct_info_data(current_data, type, field, id); @@ -1531,7 +1559,8 @@ static BOOL construct_printer_info_0(PRINTER_INFO_0 *printer, int snum, pstring /* it's the first time, add it to the list */ if (session_counter==NULL) { - session_counter=(counter_printer_0 *)malloc(sizeof(counter_printer_0)); + if((session_counter=(counter_printer_0 *)malloc(sizeof(counter_printer_0))) == NULL) + return False; ZERO_STRUCTP(session_counter); session_counter->snum=snum; session_counter->counter=0; @@ -1635,7 +1664,7 @@ static BOOL construct_printer_info_1(fstring server, uint32 flags, PRINTER_INFO_ /**************************************************************************** ****************************************************************************/ -static void construct_dev_mode(DEVICEMODE *devmode, int snum, char *servername) +static BOOL construct_dev_mode(DEVICEMODE *devmode, int snum, char *servername) { char adevice[32]; char aform[32]; @@ -1686,11 +1715,16 @@ static void construct_dev_mode(DEVICEMODE *devmode, int snum, char *servername) if (ntdevmode->private != NULL) { - devmode->private=(uint8 *)malloc(devmode->driverextra*sizeof(uint8)); + if((devmode->private=(uint8 *)malloc(devmode->driverextra*sizeof(uint8))) == NULL) { + free_a_printer(printer, 2); + return False; + } memcpy(devmode->private, ntdevmode->private, devmode->driverextra); } free_a_printer(printer, 2); + + return True; } /******************************************************************** @@ -1749,14 +1783,25 @@ static BOOL construct_printer_info_2(pstring servername, PRINTER_INFO_2 *printer printer->cjobs = count; /* jobs */ printer->averageppm = ntprinter.info_2->averageppm; /* average pages per minute */ - devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE)); + if((devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE))) == NULL) + goto err; + ZERO_STRUCTP(devmode); - construct_dev_mode(devmode, snum, servername); + + if(!construct_dev_mode(devmode, snum, servername)) + goto err; + printer->devmode=devmode; safe_free(queue); free_a_printer(ntprinter, 2); return True; + + err: + + safe_free(queue); + free_a_printer(ntprinter, 2); + return False; } /******************************************************************** @@ -1777,7 +1822,10 @@ static BOOL enum_all_printers_info_1(fstring server, uint32 flags, NEW_BUFFER *b DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum)); if (construct_printer_info_1(server, flags, ¤t_prt, snum)) { - printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_1)); + if((printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_1))) == NULL) { + *returned=0; + return ERROR_NOT_ENOUGH_MEMORY; + } DEBUG(4,("ReAlloced memory for [%d] PRINTER_INFO_1\n", *returned)); memcpy(&(printers[*returned]), ¤t_prt, sizeof(PRINTER_INFO_1)); (*returned)++; @@ -1863,7 +1911,8 @@ static BOOL enum_all_printers_info_1_remote(fstring name, NEW_BUFFER *buffer, ui * We should have a TDB here. The registration is done thru an undocumented RPC call. */ - printer=(PRINTER_INFO_1 *)malloc(sizeof(PRINTER_INFO_1)); + if((printer=(PRINTER_INFO_1 *)malloc(sizeof(PRINTER_INFO_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; *returned=1; @@ -1930,7 +1979,8 @@ static BOOL enum_all_printers_info_2(fstring servername, NEW_BUFFER *buffer, uin DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum)); if (construct_printer_info_2(servername, ¤t_prt, snum)) { - printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_2)); + if((printers=Realloc(printers, (*returned +1)*sizeof(PRINTER_INFO_2))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; DEBUG(4,("ReAlloced memory for [%d] PRINTER_INFO_2\n", *returned)); memcpy(&(printers[*returned]), ¤t_prt, sizeof(PRINTER_INFO_2)); (*returned)++; @@ -2093,7 +2143,8 @@ static uint32 getprinter_level_0(pstring servername, int snum, NEW_BUFFER *buffe { PRINTER_INFO_0 *printer=NULL; - printer=(PRINTER_INFO_0*)malloc(sizeof(PRINTER_INFO_0)); + if((printer=(PRINTER_INFO_0*)malloc(sizeof(PRINTER_INFO_0))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; construct_printer_info_0(printer, snum, servername); @@ -2124,7 +2175,9 @@ static uint32 getprinter_level_1(pstring servername, int snum, NEW_BUFFER *buffe { PRINTER_INFO_1 *printer=NULL; - printer=(PRINTER_INFO_1*)malloc(sizeof(PRINTER_INFO_1)); + if((printer=(PRINTER_INFO_1*)malloc(sizeof(PRINTER_INFO_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; + construct_printer_info_1(servername, PRINTER_ENUM_ICON8, printer, snum); /* check the required size. */ @@ -2155,7 +2208,8 @@ static uint32 getprinter_level_2(pstring servername, int snum, NEW_BUFFER *buffe PRINTER_INFO_2 *printer=NULL; fstring temp; - printer=(PRINTER_INFO_2*)malloc(sizeof(PRINTER_INFO_2)); + if((printer=(PRINTER_INFO_2*)malloc(sizeof(PRINTER_INFO_2)))==NULL) + return ERROR_NOT_ENOUGH_MEMORY; fstrcpy(temp, "\\\\"); fstrcat(temp, servername); @@ -2313,7 +2367,10 @@ static void init_unistr_array(uint16 **uni_array, char **char_array, char *where for (v=char_array[i]; *v!='\0'; v=char_array[i]) { snprintf(line, sizeof(line)-1, "%s%s", where, v); DEBUGADD(6,("%d:%s:%d\n", i, line, strlen(line))); - *uni_array=Realloc(*uni_array, (j+strlen(line)+2)*sizeof(uint16)); + if((*uni_array=Realloc(*uni_array, (j+strlen(line)+2)*sizeof(uint16))) == NULL) { + DEBUG(0,("init_unistr_array: Realloc error\n" )); + return; + } ascii_to_unistr( *uni_array+j, line , strlen(line)); j+=strlen(line)+1; i++; @@ -2392,7 +2449,8 @@ static uint32 getprinterdriver2_level1(pstring servername, pstring architecture, { DRIVER_INFO_1 *info=NULL; - info=(DRIVER_INFO_1 *)malloc(sizeof(DRIVER_INFO_1)); + if((info=(DRIVER_INFO_1 *)malloc(sizeof(DRIVER_INFO_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; construct_printer_driver_info_1(info, snum, servername, architecture); @@ -2422,7 +2480,8 @@ static uint32 getprinterdriver2_level2(pstring servername, pstring architecture, { DRIVER_INFO_2 *info=NULL; - info=(DRIVER_INFO_2 *)malloc(sizeof(DRIVER_INFO_2)); + if((info=(DRIVER_INFO_2 *)malloc(sizeof(DRIVER_INFO_2))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; construct_printer_driver_info_2(info, snum, servername, architecture); @@ -2452,7 +2511,8 @@ static uint32 getprinterdriver2_level3(pstring servername, pstring architecture, { DRIVER_INFO_3 *info=NULL; - info=(DRIVER_INFO_3 *)malloc(sizeof(DRIVER_INFO_3)); + if((info=(DRIVER_INFO_3 *)malloc(sizeof(DRIVER_INFO_3)))==NULL) + return ERROR_NOT_ENOUGH_MEMORY; construct_printer_driver_info_3(info, snum, servername, architecture); @@ -2971,9 +3031,16 @@ static BOOL fill_job_info_2(JOB_INFO_2 *job_info, print_queue_struct *queue, job_info->timeelapsed=0; job_info->pagesprinted=0; - devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE)); + if((devmode=(DEVICEMODE *)malloc(sizeof(DEVICEMODE))) == NULL) { + free_a_printer(ntprinter, 2); + return False; + } + ZERO_STRUCTP(devmode); - construct_dev_mode(devmode, snum, global_myname); + if(!construct_dev_mode(devmode, snum, global_myname)) { + free_a_printer(ntprinter, 2); + return False; + } job_info->devmode=devmode; free_a_printer(ntprinter, 2); @@ -3189,7 +3256,9 @@ static uint32 enumprinterdrivers_level1(fstring *list, fstring servername, fstri int i; NT_PRINTER_DRIVER_INFO_LEVEL driver; DRIVER_INFO_1 *driver_info_1=NULL; - driver_info_1=(DRIVER_INFO_1 *)malloc(*returned * sizeof(DRIVER_INFO_1)); + + if((driver_info_1=(DRIVER_INFO_1 *)malloc(*returned * sizeof(DRIVER_INFO_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; for (i=0; i<*returned; i++) { get_a_printer_driver(&driver, 3, list[i], architecture); @@ -3234,7 +3303,9 @@ static uint32 enumprinterdrivers_level2(fstring *list, fstring servername, fstri int i; NT_PRINTER_DRIVER_INFO_LEVEL driver; DRIVER_INFO_2 *driver_info_2=NULL; - driver_info_2=(DRIVER_INFO_2 *)malloc(*returned * sizeof(DRIVER_INFO_2)); + + if((driver_info_2=(DRIVER_INFO_2 *)malloc(*returned * sizeof(DRIVER_INFO_2))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; for (i=0; i<*returned; i++) { get_a_printer_driver(&driver, 3, list[i], architecture); @@ -3279,7 +3350,9 @@ static uint32 enumprinterdrivers_level3(fstring *list, fstring servername, fstri int i; NT_PRINTER_DRIVER_INFO_LEVEL driver; DRIVER_INFO_3 *driver_info_3=NULL; - driver_info_3=(DRIVER_INFO_3 *)malloc((*returned)*sizeof(DRIVER_INFO_3)); + + if((driver_info_3=(DRIVER_INFO_3 *)malloc((*returned)*sizeof(DRIVER_INFO_3))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; for (i=0; i<*returned; i++) { get_a_printer_driver(&driver, 3, list[i], architecture); @@ -3340,6 +3413,9 @@ uint32 _spoolss_enumprinterdrivers( UNISTR2 *name, UNISTR2 *environment, uint32 *returned=get_ntdrivers(&list, architecture); DEBUGADD(4,("we have: [%d] drivers in environment [%s]\n", *returned, architecture)); + if(*returned == -1) + return ERROR_NOT_ENOUGH_MEMORY; + for (i=0; i<*returned; i++) DEBUGADD(5,("driver: [%s]\n", list[i])); @@ -3393,7 +3469,10 @@ uint32 _new_spoolss_enumforms( const POLICY_HND *handle, uint32 level, switch (level) { case 1: - forms_1=(FORM_1 *)malloc(*numofforms * sizeof(FORM_1)); + if((forms_1=(FORM_1 *)malloc(*numofforms * sizeof(FORM_1))) == NULL) { + *numofforms=0; + return ERROR_NOT_ENOUGH_MEMORY; + } /* construct the list of form structures */ for (i=0; i<*numofforms; i++) { @@ -3472,7 +3551,8 @@ static uint32 enumports_level_1(NEW_BUFFER *buffer, uint32 offered, uint32 *need if ( lp_browseable(snum) && lp_snum_ok(snum) && lp_print_ok(snum) ) (*returned)++; - ports=(PORT_INFO_1 *)malloc( (*returned+1) * sizeof(PORT_INFO_1) ); + if((ports=(PORT_INFO_1 *)malloc( (*returned+1) * sizeof(PORT_INFO_1) )) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; for (snum=0; snumname), "winprint"); @@ -4010,7 +4104,9 @@ static uint32 enumprintprocdatatypes_level_1(NEW_BUFFER *buffer, uint32 offered, { PRINTPROCDATATYPE_1 *info_1=NULL; - info_1 = (PRINTPROCDATATYPE_1 *)malloc(sizeof(PRINTPROCDATATYPE_1)); + if((info_1 = (PRINTPROCDATATYPE_1 *)malloc(sizeof(PRINTPROCDATATYPE_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; + (*returned) = 0x1; init_unistr(&(info_1->name), "RAW"); @@ -4060,7 +4156,9 @@ static uint32 enumprintmonitors_level_1(NEW_BUFFER *buffer, uint32 offered, uint { PRINTMONITOR_1 *info_1=NULL; - info_1 = (PRINTMONITOR_1 *)malloc(sizeof(PRINTMONITOR_1)); + if((info_1 = (PRINTMONITOR_1 *)malloc(sizeof(PRINTMONITOR_1))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; + (*returned) = 0x1; init_unistr(&(info_1->name), "Local Port"); @@ -4089,7 +4187,9 @@ static uint32 enumprintmonitors_level_2(NEW_BUFFER *buffer, uint32 offered, uint { PRINTMONITOR_2 *info_2=NULL; - info_2 = (PRINTMONITOR_2 *)malloc(sizeof(PRINTMONITOR_2)); + if((info_2 = (PRINTMONITOR_2 *)malloc(sizeof(PRINTMONITOR_2))) == NULL) + return ERROR_NOT_ENOUGH_MEMORY; + (*returned) = 0x1; init_unistr(&(info_2->name), "Local Port"); @@ -4151,6 +4251,7 @@ static uint32 getjob_level_1(print_queue_struct *queue, int count, int snum, uin int i=0; BOOL found=False; JOB_INFO_1 *info_1=NULL; + info_1=(JOB_INFO_1 *)malloc(sizeof(JOB_INFO_1)); if (info_1 == NULL) {