mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Thu Jul 2 10:26:24 UTC 2020 on sn-devel-184
This commit is contained in:
parent
b232a7bc54
commit
3cc0f1eeda
@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Given a zero length, data_blob_talloc() returns the
|
||||
* NULL blob {NULL, 0}.
|
||||
*
|
||||
* We only want to error return here on a real out of memory condition
|
||||
* (i.e. dsize != 0, so the UDP packet has data, but the return of the
|
||||
* allocation failed, so blob.data==NULL).
|
||||
*
|
||||
* Given an actual zero length UDP packet having blob.data == NULL
|
||||
* isn't an out of memory error condition, that's the defined semantics
|
||||
* of data_blob_talloc() when asked for zero bytes.
|
||||
*
|
||||
* We still need to continue to do the zero-length socket_recvfrom()
|
||||
* read in order to clear the "read pending" condition on the socket.
|
||||
*/
|
||||
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
|
||||
if (blob.data == NULL) {
|
||||
if (blob.data == NULL && dsize != 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
return;
|
||||
}
|
||||
|
@ -1 +0,0 @@
|
||||
^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet
|
Loading…
Reference in New Issue
Block a user