From 1417e8307d4b03a638f2eba8ad7c8241ae7ce8a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 20 Nov 2009 12:57:13 +0100
Subject: [PATCH 1/2] spoolss: fix spoolss_EnumPrinterKey IDL.

Guenther
---
 librpc/gen_ndr/cli_spoolss.c |    4 +-
 librpc/gen_ndr/cli_spoolss.h |    2 +-
 librpc/gen_ndr/ndr_spoolss.c |   80 ++++++++++++++++--------------------------
 librpc/gen_ndr/spoolss.h     |    2 +-
 librpc/gen_ndr/srv_spoolss.c |    4 +-
 librpc/idl/spoolss.idl       |    2 +-
 6 files changed, 37 insertions(+), 57 deletions(-)

diff --git a/librpc/gen_ndr/cli_spoolss.c b/librpc/gen_ndr/cli_spoolss.c
index 1e94a2a..70dfab3 100644
--- a/librpc/gen_ndr/cli_spoolss.c
+++ b/librpc/gen_ndr/cli_spoolss.c
@@ -3811,7 +3811,7 @@ NTSTATUS rpccli_spoolss_EnumPrinterKey(struct rpc_pipe_client *cli,
 				       TALLOC_CTX *mem_ctx,
 				       struct policy_handle *handle /* [in] [ref] */,
 				       const char *key_name /* [in] [charset(UTF16)] */,
-				       const char ** *key_buffer /* [out] [subcontext_size(offered),ref,subcontext(0),flag(LIBNDR_FLAG_STR_NULLTERM)] */,
+				       uint16_t *key_buffer /* [out] [ref,size_is(offered/2)] */,
 				       uint32_t offered /* [in]  */,
 				       uint32_t *needed /* [out] [ref] */,
 				       WERROR *werror)
@@ -3847,7 +3847,7 @@ NTSTATUS rpccli_spoolss_EnumPrinterKey(struct rpc_pipe_client *cli,
 	}
 
 	/* Return variables */
-	*key_buffer = *r.out.key_buffer;
+	memcpy(key_buffer, r.out.key_buffer, r.in.offered / 2 * sizeof(*key_buffer));
 	*needed = *r.out.needed;
 
 	/* Return result */
diff --git a/librpc/gen_ndr/cli_spoolss.h b/librpc/gen_ndr/cli_spoolss.h
index eb86e8c..4c621f4 100644
--- a/librpc/gen_ndr/cli_spoolss.h
+++ b/librpc/gen_ndr/cli_spoolss.h
@@ -497,7 +497,7 @@ NTSTATUS rpccli_spoolss_EnumPrinterKey(struct rpc_pipe_client *cli,
 				       TALLOC_CTX *mem_ctx,
 				       struct policy_handle *handle /* [in] [ref] */,
 				       const char *key_name /* [in] [charset(UTF16)] */,
-				       const char ** *key_buffer /* [out] [subcontext_size(offered),ref,subcontext(0),flag(LIBNDR_FLAG_STR_NULLTERM)] */,
+				       uint16_t *key_buffer /* [out] [ref,size_is(offered/2)] */,
 				       uint32_t offered /* [in]  */,
 				       uint32_t *needed /* [out] [ref] */,
 				       WERROR *werror);
diff --git a/librpc/gen_ndr/ndr_spoolss.c b/librpc/gen_ndr/ndr_spoolss.c
index d4195e4..d03196e 100644
--- a/librpc/gen_ndr/ndr_spoolss.c
+++ b/librpc/gen_ndr/ndr_spoolss.c
@@ -26619,6 +26619,7 @@ _PUBLIC_ void ndr_print_spoolss_EnumPrinterDataEx(struct ndr_print *ndr, const c
 
 _PUBLIC_ enum ndr_err_code ndr_push_spoolss_EnumPrinterKey(struct ndr_push *ndr, int flags, const struct spoolss_EnumPrinterKey *r)
 {
+	uint32_t cntr_key_buffer_1;
 	if (flags & NDR_IN) {
 		if (r->in.handle == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
@@ -26631,22 +26632,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_EnumPrinterKey(struct ndr_push *ndr,
 		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.offered));
 	}
 	if (flags & NDR_OUT) {
-		{
-			uint32_t _flags_save_string_array = ndr->flags;
-			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM);
-			if (r->out.key_buffer == NULL) {
-				return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
-			}
-			NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.key_buffer));
-			if (*r->out.key_buffer) {
-				{
-					struct ndr_push *_ndr_key_buffer;
-					NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_key_buffer, 0, r->in.offered));
-					NDR_CHECK(ndr_push_string_array(_ndr_key_buffer, NDR_SCALARS, *r->out.key_buffer));
-					NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_key_buffer, 0, r->in.offered));
-				}
-			}
-			ndr->flags = _flags_save_string_array;
+		if (r->out.key_buffer == NULL) {
+			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+		}
+		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.offered / 2));
+		for (cntr_key_buffer_1 = 0; cntr_key_buffer_1 < r->in.offered / 2; cntr_key_buffer_1++) {
+			NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->out.key_buffer[cntr_key_buffer_1]));
 		}
 		if (r->out.needed == NULL) {
 			return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
@@ -26659,9 +26650,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_EnumPrinterKey(struct ndr_push *ndr,
 
 _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr, int flags, struct spoolss_EnumPrinterKey *r)
 {
-	uint32_t _ptr_key_buffer;
+	uint32_t cntr_key_buffer_1;
 	TALLOC_CTX *_mem_save_handle_0;
-	TALLOC_CTX *_mem_save_key_buffer_0;
 	TALLOC_CTX *_mem_save_key_buffer_1;
 	TALLOC_CTX *_mem_save_needed_0;
 	if (flags & NDR_IN) {
@@ -26682,40 +26672,22 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr,
 		NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t)));
 		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered));
-		NDR_PULL_ALLOC(ndr, r->out.key_buffer);
-		ZERO_STRUCTP(r->out.key_buffer);
+		NDR_PULL_ALLOC_N(ndr, r->out.key_buffer, r->in.offered / 2);
+		memset(r->out.key_buffer, 0, (r->in.offered / 2) * sizeof(*r->out.key_buffer));
 		NDR_PULL_ALLOC(ndr, r->out.needed);
 		ZERO_STRUCTP(r->out.needed);
 	}
 	if (flags & NDR_OUT) {
-		{
-			uint32_t _flags_save_string_array = ndr->flags;
-			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM);
-			if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
-				NDR_PULL_ALLOC(ndr, r->out.key_buffer);
-			}
-			_mem_save_key_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr);
-			NDR_PULL_SET_MEM_CTX(ndr, r->out.key_buffer, LIBNDR_FLAG_REF_ALLOC);
-			NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_key_buffer));
-			if (_ptr_key_buffer) {
-				NDR_PULL_ALLOC(ndr, *r->out.key_buffer);
-			} else {
-				*r->out.key_buffer = NULL;
-			}
-			if (*r->out.key_buffer) {
-				_mem_save_key_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr);
-				NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_buffer, 0);
-				{
-					struct ndr_pull *_ndr_key_buffer;
-					NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_key_buffer, 0, r->in.offered));
-					NDR_CHECK(ndr_pull_string_array(_ndr_key_buffer, NDR_SCALARS, r->out.key_buffer));
-					NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_key_buffer, 0, r->in.offered));
-				}
-				NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_buffer_1, 0);
-			}
-			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_buffer_0, LIBNDR_FLAG_REF_ALLOC);
-			ndr->flags = _flags_save_string_array;
+		NDR_CHECK(ndr_pull_array_size(ndr, &r->out.key_buffer));
+		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+			NDR_PULL_ALLOC_N(ndr, r->out.key_buffer, ndr_get_array_size(ndr, &r->out.key_buffer));
 		}
+		_mem_save_key_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr);
+		NDR_PULL_SET_MEM_CTX(ndr, r->out.key_buffer, 0);
+		for (cntr_key_buffer_1 = 0; cntr_key_buffer_1 < r->in.offered / 2; cntr_key_buffer_1++) {
+			NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.key_buffer[cntr_key_buffer_1]));
+		}
+		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_buffer_1, 0);
 		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
 			NDR_PULL_ALLOC(ndr, r->out.needed);
 		}
@@ -26724,12 +26696,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr,
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.needed));
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_needed_0, LIBNDR_FLAG_REF_ALLOC);
 		NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result));
+		if (r->out.key_buffer) {
+			NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.key_buffer, r->in.offered / 2));
+		}
 	}
 	return NDR_ERR_SUCCESS;
 }
 
 _PUBLIC_ void ndr_print_spoolss_EnumPrinterKey(struct ndr_print *ndr, const char *name, int flags, const struct spoolss_EnumPrinterKey *r)
 {
+	uint32_t cntr_key_buffer_1;
 	ndr_print_struct(ndr, name, "spoolss_EnumPrinterKey");
 	ndr->depth++;
 	if (flags & NDR_SET_VALUES) {
@@ -26751,10 +26727,14 @@ _PUBLIC_ void ndr_print_spoolss_EnumPrinterKey(struct ndr_print *ndr, const char
 		ndr->depth++;
 		ndr_print_ptr(ndr, "key_buffer", r->out.key_buffer);
 		ndr->depth++;
-		ndr_print_ptr(ndr, "key_buffer", *r->out.key_buffer);
+		ndr->print(ndr, "%s: ARRAY(%d)", "key_buffer", (int)r->in.offered / 2);
 		ndr->depth++;
-		if (*r->out.key_buffer) {
-			ndr_print_string_array(ndr, "key_buffer", *r->out.key_buffer);
+		for (cntr_key_buffer_1=0;cntr_key_buffer_1<r->in.offered / 2;cntr_key_buffer_1++) {
+			char *idx_1=NULL;
+			if (asprintf(&idx_1, "[%d]", cntr_key_buffer_1) != -1) {
+				ndr_print_uint16(ndr, "key_buffer", r->out.key_buffer[cntr_key_buffer_1]);
+				free(idx_1);
+			}
 		}
 		ndr->depth--;
 		ndr->depth--;
diff --git a/librpc/gen_ndr/spoolss.h b/librpc/gen_ndr/spoolss.h
index a9f7aaf..2053065 100644
--- a/librpc/gen_ndr/spoolss.h
+++ b/librpc/gen_ndr/spoolss.h
@@ -3030,7 +3030,7 @@ struct spoolss_EnumPrinterKey {
 	} in;
 
 	struct {
-		const char ** *key_buffer;/* [subcontext_size(offered),ref,subcontext(0),flag(LIBNDR_FLAG_STR_NULLTERM)] */
+		uint16_t *key_buffer;/* [ref,size_is(offered/2)] */
 		uint32_t *needed;/* [ref] */
 		WERROR result;
 	} out;
diff --git a/librpc/gen_ndr/srv_spoolss.c b/librpc/gen_ndr/srv_spoolss.c
index 79efbb5..3bbe401 100644
--- a/librpc/gen_ndr/srv_spoolss.c
+++ b/librpc/gen_ndr/srv_spoolss.c
@@ -6296,7 +6296,7 @@ static bool api_spoolss_EnumPrinterKey(pipes_struct *p)
 	}
 
 	ZERO_STRUCT(r->out);
-	r->out.key_buffer = talloc_zero(r, const char **);
+	r->out.key_buffer = talloc_zero_array(r, uint16_t, r->in.offered / 2);
 	if (r->out.key_buffer == NULL) {
 		talloc_free(r);
 		return false;
@@ -8399,7 +8399,7 @@ NTSTATUS rpc_spoolss_dispatch(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
 		case NDR_SPOOLSS_ENUMPRINTERKEY: {
 			struct spoolss_EnumPrinterKey *r = (struct spoolss_EnumPrinterKey *)_r;
 			ZERO_STRUCT(r->out);
-			r->out.key_buffer = talloc_zero(mem_ctx, const char **);
+			r->out.key_buffer = talloc_zero_array(mem_ctx, uint16_t, r->in.offered / 2);
 			if (r->out.key_buffer == NULL) {
 			return NT_STATUS_NO_MEMORY;
 			}
diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl
index f306462..e4f03e5 100644
--- a/librpc/idl/spoolss.idl
+++ b/librpc/idl/spoolss.idl
@@ -2302,7 +2302,7 @@ import "misc.idl", "security.idl", "winreg.idl";
 	[public] WERROR spoolss_EnumPrinterKey(
 		[in, ref] policy_handle *handle,
 		[in] [string,charset(UTF16)] uint16 key_name[],
-		[out,ref] [subcontext(0),subcontext_size(offered)] nstring_array **key_buffer,
+		[out,ref] [size_is(offered/2)] uint16 *key_buffer,
 		[in] uint32 offered,
 		[out,ref] uint32 *needed
 	);
-- 
1.6.5.2


From e2e1ce01d9fc377b33fe72daf09b6b897cb22376 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 20 Nov 2009 16:34:00 +0100
Subject: [PATCH 2/2] s3-spoolss: fix spoolss_EnumPrinterKey client and server code.

Guenther
(cherry picked from commit d464151f3b47c675664f464b1645ca85de663655)
---
 source3/rpc_client/cli_spoolss.c    |   24 +++++++++++++++++++++---
 source3/rpc_server/srv_spoolss_nt.c |   23 +++++++++++++++++++----
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/source3/rpc_client/cli_spoolss.c b/source3/rpc_client/cli_spoolss.c
index 3f369bd..ff8736d 100644
--- a/source3/rpc_client/cli_spoolss.c
+++ b/source3/rpc_client/cli_spoolss.c
@@ -760,27 +760,45 @@ WERROR rpccli_spoolss_enumprinterkey(struct rpc_pipe_client *cli,
 	NTSTATUS status;
 	WERROR werror;
 	uint32_t needed;
+	uint16_t *buffer = NULL;
+
+	*key_buffer = NULL;
+
+	if (offered) {
+		buffer = talloc_array(mem_ctx, uint16_t, offered);
+		W_ERROR_HAVE_NO_MEMORY(buffer);
+	}
 
 	status = rpccli_spoolss_EnumPrinterKey(cli, mem_ctx,
 					       handle,
 					       key_name,
-					       key_buffer,
+					       buffer,
 					       offered,
 					       &needed,
 					       &werror);
 
 	if (W_ERROR_EQUAL(werror, WERR_MORE_DATA)) {
 		offered = needed;
-
+		buffer = talloc_realloc(mem_ctx, buffer, uint16_t, needed);
+		W_ERROR_HAVE_NO_MEMORY(buffer);
 		status = rpccli_spoolss_EnumPrinterKey(cli, mem_ctx,
 						       handle,
 						       key_name,
-						       key_buffer,
+						       buffer,
 						       offered,
 						       &needed,
 						       &werror);
 	}
 
+	if (W_ERROR_IS_OK(werror)) {
+		const char **array;
+		DATA_BLOB blob = data_blob_const((uint8_t *)buffer, offered);
+		if (!pull_reg_multi_sz(mem_ctx, &blob, &array)) {
+			return WERR_NOMEM;
+		}
+		*key_buffer = array;
+	}
+
 	return werror;
 }
 
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 87735d3..f0bf851 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -9259,7 +9259,7 @@ WERROR _spoolss_EnumPrinterKey(pipes_struct *p,
 	WERROR		result = WERR_BADFILE;
 	int i;
 	const char **array = NULL;
-
+	DATA_BLOB blob;
 
 	DEBUG(4,("_spoolss_EnumPrinterKey\n"));
 
@@ -9288,7 +9288,9 @@ WERROR _spoolss_EnumPrinterKey(pipes_struct *p,
 		goto done;
 	}
 
-	*r->out.needed = 4;
+	/* two byte termination (a multisz) */
+
+	*r->out.needed = 2;
 
 	array = talloc_zero_array(r->out.key_buffer, const char *, num_keys + 1);
 	if (!array) {
@@ -9297,6 +9299,10 @@ WERROR _spoolss_EnumPrinterKey(pipes_struct *p,
 	}
 
 	for (i=0; i < num_keys; i++) {
+
+		DEBUG(10,("_spoolss_EnumPrinterKey: adding keyname: %s\n",
+			keynames[i]));
+
 		array[i] = talloc_strdup(array, keynames[i]);
 		if (!array[i]) {
 			result = WERR_NOMEM;
@@ -9313,12 +9319,21 @@ WERROR _spoolss_EnumPrinterKey(pipes_struct *p,
 
 	result = WERR_OK;
 
-	*r->out.key_buffer = array;
+	if (!push_reg_multi_sz(p->mem_ctx, &blob, array)) {
+		result = WERR_NOMEM;
+		goto done;
+	}
+
+	if (r->in.offered == blob.length) {
+		memcpy(r->out.key_buffer, blob.data, blob.length);
+	}
 
  done:
 	if (!W_ERROR_IS_OK(result)) {
 		TALLOC_FREE(array);
-		ZERO_STRUCTP(r->out.key_buffer);
+		if (!W_ERROR_EQUAL(result, WERR_MORE_DATA)) {
+			*r->out.needed = 0;
+		}
 	}
 
 	free_a_printer(&printer, 2);
-- 
1.6.5.2