[Q] enumprinterdrivers 2|3 is broken - Samba

This is a discussion on [Q] enumprinterdrivers 2|3 is broken - Samba ; It appears that we are never protecting ourselves from \\ slashes in the incoming server name in spoolss requests. While doing enumprinterdrivers 2 and 3 levels we call rpc_server/srv_spoolss_nt.c:enumprinterdrivers_level2() which formats returned strings as "\\\\%s\%s" where first parameter is server ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [Q] enumprinterdrivers 2|3 is broken

  1. [Q] enumprinterdrivers 2|3 is broken

    It appears that we are never protecting ourselves from \\ slashes in
    the incoming server name in spoolss requests. While doing
    enumprinterdrivers 2 and 3 levels we call
    rpc_server/srv_spoolss_nt.c:enumprinterdrivers_level2() which formats
    returned strings as "\\\\%s\%s" where first parameter is server name.
    Therefore, our response is sending \\\\ slashes.

    In particular, this is different to what Windows does: it looks they
    simply normalize slashes everywhere.

    This difference actually has a harm effect: Windows client thinks that
    a driver is changed on the server and reloads it from the Samba server
    on each opening of the printer properties. This is quite noticeable
    for large drivers as network consumption increases.

    We could normalize name in
    rpc_parse/rpc_parse_spoolss.c:spoolss_io_q_enumprinterdriver s()
    (reffering to 3-0-stable source) or could strip/normalize in
    enumprinterdrivers_level2(). Not sure which way is better and safer.

    This logical error exists in rpc code in 3-0 and upwards.
    --
    / Alexander Bokovoy


  2. Re: [Q] enumprinterdrivers 2|3 is broken

    On Wed, Jul 02, 2008 at 02:59:10PM +0400, Alexander Bokovoy wrote:
    > It appears that we are never protecting ourselves from \\ slashes in
    > the incoming server name in spoolss requests. While doing
    > enumprinterdrivers 2 and 3 levels we call
    > rpc_server/srv_spoolss_nt.c:enumprinterdrivers_level2() which formats
    > returned strings as "\\\\%s\%s" where first parameter is server name.
    > Therefore, our response is sending \\\\ slashes.
    >
    > In particular, this is different to what Windows does: it looks they
    > simply normalize slashes everywhere.
    >
    > This difference actually has a harm effect: Windows client thinks that
    > a driver is changed on the server and reloads it from the Samba server
    > on each opening of the printer properties. This is quite noticeable
    > for large drivers as network consumption increases.
    >
    > We could normalize name in
    > rpc_parse/rpc_parse_spoolss.c:spoolss_io_q_enumprinterdriver s()
    > (reffering to 3-0-stable source) or could strip/normalize in
    > enumprinterdrivers_level2(). Not sure which way is better and safer.


    What does Windows do to normalize the servername ? Do they send
    it as '\\servername' or just 'servername' ?

    Jeremy.


  3. Re: [Q] enumprinterdrivers 2|3 is broken

    On Wed, Jul 02, 2008 at 02:59:10PM +0400, Alexander Bokovoy wrote:
    > It appears that we are never protecting ourselves from \\ slashes in
    > the incoming server name in spoolss requests. While doing
    > enumprinterdrivers 2 and 3 levels we call
    > rpc_server/srv_spoolss_nt.c:enumprinterdrivers_level2() which formats
    > returned strings as "\\\\%s\%s" where first parameter is server name.
    > Therefore, our response is sending \\\\ slashes.
    >
    > In particular, this is different to what Windows does: it looks they
    > simply normalize slashes everywhere.
    >
    > This difference actually has a harm effect: Windows client thinks that
    > a driver is changed on the server and reloads it from the Samba server
    > on each opening of the printer properties. This is quite noticeable
    > for large drivers as network consumption increases.
    >
    > We could normalize name in
    > rpc_parse/rpc_parse_spoolss.c:spoolss_io_q_enumprinterdriver s()
    > (reffering to 3-0-stable source) or could strip/normalize in
    > enumprinterdrivers_level2(). Not sure which way is better and safer.
    >
    > This logical error exists in rpc code in 3-0 and upwards.


    Alexander, can you test this patch for me please ?

    Should fix all uses of \\[\\..]servername to be
    a canonical \\servername.

    Jeremy.


  4. Re: [Q] enumprinterdrivers 2|3 is broken

    Jeremy,

    2008/7/3 Jeremy Allison :
    >> This difference actually has a harm effect: Windows client thinks that
    >> a driver is changed on the server and reloads it from the Samba server
    >> on each opening of the printer properties. This is quite noticeable
    >> for large drivers as network consumption increases.
    >>
    >> We could normalize name in
    >> rpc_parse/rpc_parse_spoolss.c:spoolss_io_q_enumprinterdriver s()
    >> (reffering to 3-0-stable source) or could strip/normalize in
    >> enumprinterdrivers_level2(). Not sure which way is better and safer.
    >>
    >> This logical error exists in rpc code in 3-0 and upwards.

    >
    > Alexander, can you test this patch for me please ?
    >
    > Should fix all uses of \\[\\..]servername to be
    > a canonical \\servername.

    Sorry for slow responses, I'm on vacation with my family and only have
    ten or so minutes per day to check email/look through the code. I see
    you put the fix into v3-0-test, I'll ask a reporter to re-test.


    --
    / Alexander Bokovoy


  5. Re: [Q] enumprinterdrivers 2|3 is broken

    2008/7/3 Alexander Bokovoy :
    >> Alexander, can you test this patch for me please ?
    >>
    >> Should fix all uses of \\[\\..]servername to be
    >> a canonical \\servername.

    > Sorry for slow responses, I'm on vacation with my family and only have
    > ten or so minutes per day to check email/look through the code. I see
    > you put the fix into v3-0-test, I'll ask a reporter to re-test.

    Quick test showed that printer properties are indeed displayed
    correctly now from Windows machines. The impact on traffic use while
    downloading drivers will be measured next week when the reporter will
    have an opportunity to upgrade a production network.
    --
    / Alexander Bokovoy


  6. Re: [Q] enumprinterdrivers 2|3 is broken

    Jeremy,

    2008/7/9 Jeremy Allison :
    >> > you put the fix into v3-0-test, I'll ask a reporter to re-test.

    >> Quick test showed that printer properties are indeed displayed
    >> correctly now from Windows machines. The impact on traffic use while
    >> downloading drivers will be measured next week when the reporter will
    >> have an opportunity to upgrade a production network.

    >
    > Ping. Did this fix help ?

    Just got back to internet connection after a week in forests. Asked a
    bug reporter on production update and haven't got response yet. I'll
    be back at home on Monday, more info by that time, I think.

    --
    / Alexander Bokovoy


+ Reply to Thread