From 0544a3a3c9c7e51c80428965a6f37cc486d2538d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 3 Nov 2021 13:57:50 +0100 Subject: [PATCH] librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0 convert_string_talloc_handle() tries to play an the safe side and always returns a null terminated array. But for NDR we need to be correct on the wire... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 43648e95a514020da4c7efa62df55d0882e3db85) --- librpc/ndr/ndr_string.c | 5 ++++- selftest/knownfail.d/blackbox.ndrdump | 1 + selftest/knownfail.d/ndr_string | 2 -- 3 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 selftest/knownfail.d/blackbox.ndrdump delete mode 100644 selftest/knownfail.d/ndr_string diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c index 77efb3e9848..2b3737ce258 100644 --- a/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c @@ -236,7 +236,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_string(struct ndr_push *ndr, int ndr_flags, s_len++; } - if (!do_convert) { + if (s_len == 0) { + d_len = 0; + dest = (uint8_t *)talloc_strdup(ndr, ""); + } else if (!do_convert) { d_len = s_len; dest = (uint8_t *)talloc_strndup(ndr, s, s_len); } else if (!convert_string_talloc(ndr, CH_UNIX, chset, s, s_len, diff --git a/selftest/knownfail.d/blackbox.ndrdump b/selftest/knownfail.d/blackbox.ndrdump new file mode 100644 index 00000000000..8131b070b37 --- /dev/null +++ b/selftest/knownfail.d/blackbox.ndrdump @@ -0,0 +1 @@ +^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE diff --git a/selftest/knownfail.d/ndr_string b/selftest/knownfail.d/ndr_string deleted file mode 100644 index f4c864eb383..00000000000 --- a/selftest/knownfail.d/ndr_string +++ /dev/null @@ -1,2 +0,0 @@ -^samba4.local.ndr.ndr_string.ndr_string -^samba4.local.ndr.system.iconv.ndr_string.ndr_string