1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet

An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jul  2 10:26:24 UTC 2020 on sn-devel-184
This commit is contained in:
Gary Lockyer 2020-06-24 14:27:08 +12:00 committed by Karolin Seeger
parent b232a7bc54
commit 3cc0f1eeda
2 changed files with 16 additions and 2 deletions

View File

@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
return;
}
/*
* Given a zero length, data_blob_talloc() returns the
* NULL blob {NULL, 0}.
*
* We only want to error return here on a real out of memory condition
* (i.e. dsize != 0, so the UDP packet has data, but the return of the
* allocation failed, so blob.data==NULL).
*
* Given an actual zero length UDP packet having blob.data == NULL
* isn't an out of memory error condition, that's the defined semantics
* of data_blob_talloc() when asked for zero bytes.
*
* We still need to continue to do the zero-length socket_recvfrom()
* read in order to clear the "read pending" condition on the socket.
*/
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
if (blob.data == NULL) {
if (blob.data == NULL && dsize != 0) {
talloc_free(tmp_ctx);
return;
}

View File

@ -1 +0,0 @@
^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet