Fix for CVE-2009-2906.
[Samba.git] / source3 / libsmb / cliprint.c
blob223ddb41866e3ee294fede75f9e6cc858e660acf
1 /*
2 Unix SMB/CIFS implementation.
3 client print routines
4 Copyright (C) Andrew Tridgell 1994-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
22 /*****************************************************************************
23 Convert a character pointer in a cli_call_api() response to a form we can use.
24 This function contains code to prevent core dumps if the server returns
25 invalid data.
26 *****************************************************************************/
27 static const char *fix_char_ptr(unsigned int datap, unsigned int converter,
28 char *rdata, int rdrcnt)
30 if (datap == 0) {
31 /* turn NULL pointers into zero length strings */
32 return "";
33 } else {
34 unsigned int offset = datap - converter;
36 if (offset >= rdrcnt) {
37 DEBUG(1,("bad char ptr: datap=%u, converter=%u rdrcnt=%d>",
38 datap, converter, rdrcnt));
39 return "<ERROR>";
40 } else {
41 return &rdata[offset];
46 /****************************************************************************
47 call fn() on each entry in a print queue
48 ****************************************************************************/
50 int cli_print_queue(struct cli_state *cli,
51 void (*fn)(struct print_job_info *))
53 char *rparam = NULL;
54 char *rdata = NULL;
55 char *p;
56 unsigned int rdrcnt, rprcnt;
57 char param[1024];
58 int result_code=0;
59 int i = -1;
61 memset(param,'\0',sizeof(param));
63 p = param;
64 SSVAL(p,0,76); /* API function number 76 (DosPrintJobEnum) */
65 p += 2;
66 safe_strcpy_base(p,"zWrLeh", param, sizeof(param)); /* parameter description? */
67 p = skip_string(param,sizeof(param),p);
68 safe_strcpy_base(p,"WWzWWDDzz", param, sizeof(param)); /* returned data format */
69 p = skip_string(param,sizeof(param),p);
70 safe_strcpy_base(p,cli->share, param, sizeof(param)); /* name of queue */
71 p = skip_string(param,sizeof(param),p);
72 SSVAL(p,0,2); /* API function level 2, PRJINFO_2 data structure */
73 SSVAL(p,2,1000); /* size of bytes of returned data buffer */
74 p += 4;
75 safe_strcpy_base(p,"", param,sizeof(param)); /* subformat */
76 p = skip_string(param,sizeof(param),p);
78 DEBUG(4,("doing cli_print_queue for %s\n", cli->share));
80 if (cli_api(cli,
81 param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
82 NULL, 0, CLI_BUFFER_SIZE, /* data, length, maxlen */
83 &rparam, &rprcnt, /* return params, length */
84 &rdata, &rdrcnt)) { /* return data, length */
85 int converter;
86 result_code = SVAL(rparam,0);
87 converter = SVAL(rparam,2); /* conversion factor */
89 if (result_code == 0) {
90 struct print_job_info job;
92 p = rdata;
94 for (i = 0; i < SVAL(rparam,4); ++i) {
95 job.id = SVAL(p,0);
96 job.priority = SVAL(p,2);
97 fstrcpy(job.user,
98 fix_char_ptr(SVAL(p,4), converter,
99 rdata, rdrcnt));
100 job.t = cli_make_unix_date3(cli, p + 12);
101 job.size = IVAL(p,16);
102 fstrcpy(job.name,fix_char_ptr(SVAL(p,24),
103 converter,
104 rdata, rdrcnt));
105 fn(&job);
106 p += 28;
111 /* If any parameters or data were returned, free the storage. */
112 SAFE_FREE(rparam);
113 SAFE_FREE(rdata);
115 return i;
118 /****************************************************************************
119 cancel a print job
120 ****************************************************************************/
122 int cli_printjob_del(struct cli_state *cli, int job)
124 char *rparam = NULL;
125 char *rdata = NULL;
126 char *p;
127 unsigned int rdrcnt,rprcnt;
128 int ret = -1;
129 char param[1024];
131 memset(param,'\0',sizeof(param));
133 p = param;
134 SSVAL(p,0,81); /* DosPrintJobDel() */
135 p += 2;
136 safe_strcpy_base(p,"W", param,sizeof(param));
137 p = skip_string(param,sizeof(param),p);
138 safe_strcpy_base(p,"", param,sizeof(param));
139 p = skip_string(param,sizeof(param),p);
140 SSVAL(p,0,job);
141 p += 2;
143 if (cli_api(cli,
144 param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
145 NULL, 0, CLI_BUFFER_SIZE, /* data, length, maxlen */
146 &rparam, &rprcnt, /* return params, length */
147 &rdata, &rdrcnt)) { /* return data, length */
148 ret = SVAL(rparam,0);
151 SAFE_FREE(rparam);
152 SAFE_FREE(rdata);
154 return ret;
158 /****************************************************************************
159 Open a spool file
160 ****************************************************************************/
162 int cli_spl_open(struct cli_state *cli, const char *fname, int flags, int share_mode)
164 char *p;
165 unsigned openfn=0;
166 unsigned accessmode=0;
168 if (flags & O_CREAT)
169 openfn |= (1<<4);
170 if (!(flags & O_EXCL)) {
171 if (flags & O_TRUNC)
172 openfn |= (1<<1);
173 else
174 openfn |= (1<<0);
177 accessmode = (share_mode<<4);
179 if ((flags & O_ACCMODE) == O_RDWR) {
180 accessmode |= 2;
181 } else if ((flags & O_ACCMODE) == O_WRONLY) {
182 accessmode |= 1;
185 #if defined(O_SYNC)
186 if ((flags & O_SYNC) == O_SYNC) {
187 accessmode |= (1<<14);
189 #endif /* O_SYNC */
191 if (share_mode == DENY_FCB) {
192 accessmode = 0xFF;
195 memset(cli->outbuf,'\0',smb_size);
196 memset(cli->inbuf,'\0',smb_size);
198 cli_set_message(cli->outbuf,15,0,True);
200 SCVAL(cli->outbuf,smb_com,SMBsplopen);
201 SSVAL(cli->outbuf,smb_tid,cli->cnum);
202 cli_setup_packet(cli);
204 SSVAL(cli->outbuf,smb_vwv0,0xFF);
205 SSVAL(cli->outbuf,smb_vwv2,0); /* no additional info */
206 SSVAL(cli->outbuf,smb_vwv3,accessmode);
207 SSVAL(cli->outbuf,smb_vwv4,aSYSTEM | aHIDDEN);
208 SSVAL(cli->outbuf,smb_vwv5,0);
209 SSVAL(cli->outbuf,smb_vwv8,openfn);
211 if (cli->use_oplocks) {
212 /* if using oplocks then ask for a batch oplock via
213 core and extended methods */
214 SCVAL(cli->outbuf,smb_flg, CVAL(cli->outbuf,smb_flg)|
215 FLAG_REQUEST_OPLOCK|FLAG_REQUEST_BATCH_OPLOCK);
216 SSVAL(cli->outbuf,smb_vwv2,SVAL(cli->outbuf,smb_vwv2) | 6);
219 p = smb_buf(cli->outbuf);
220 p += clistr_push(cli, p, fname, -1, STR_TERMINATE);
222 cli_setup_bcc(cli, p);
224 cli_send_smb(cli);
225 if (!cli_receive_smb(cli)) {
226 return -1;
229 if (cli_is_error(cli)) {
230 return -1;
233 return SVAL(cli->inbuf,smb_vwv2);
236 /****************************************************************************
237 Close a file.
238 ****************************************************************************/
240 bool cli_spl_close(struct cli_state *cli, int fnum)
242 memset(cli->outbuf,'\0',smb_size);
243 memset(cli->inbuf,'\0',smb_size);
245 cli_set_message(cli->outbuf,3,0,True);
247 SCVAL(cli->outbuf,smb_com,SMBsplclose);
248 SSVAL(cli->outbuf,smb_tid,cli->cnum);
249 cli_setup_packet(cli);
251 SSVAL(cli->outbuf,smb_vwv0,fnum);
252 SIVALS(cli->outbuf,smb_vwv1,-1);
254 cli_send_smb(cli);
255 if (!cli_receive_smb(cli)) {
256 return False;
259 return !cli_is_error(cli);