1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0

convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.

But for NDR we need to be correct on the wire...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 43648e95a5)
This commit is contained in:
Stefan Metzmacher 2021-11-03 13:57:50 +01:00 committed by Jule Anger
parent 9be924f907
commit 7734584c4f
3 changed files with 5 additions and 3 deletions

View File

@ -236,7 +236,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_string(struct ndr_push *ndr, int ndr_flags,
s_len++;
}
if (!do_convert) {
if (s_len == 0) {
d_len = 0;
dest = (uint8_t *)talloc_strdup(ndr, "");
} else if (!do_convert) {
d_len = s_len;
dest = (uint8_t *)talloc_strndup(ndr, s, s_len);
} else if (!convert_string_talloc(ndr, CH_UNIX, chset, s, s_len,

View File

@ -0,0 +1 @@
^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE

View File

@ -1,2 +0,0 @@
^samba4.local.ndr.ndr_string.ndr_string
^samba4.local.ndr.system.iconv.ndr_string.ndr_string