1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

librpc: Do not access name[-1] trying to push "" into a dnsp_name

This simply matches the behaviour from before e7b1acaddf
when the logic for a trailing . was added.  This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.

No a security bug because we use talloc and so name will be just the
end of the talloc header.

Credit to OSS-Fuzz

Found using the fuzz_ndr_X fuzzer

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
This commit is contained in:
Andrew Bartlett 2019-12-20 10:50:09 +13:00 committed by Ralph Boehme
parent 16557e4480
commit a85d257c1e
2 changed files with 12 additions and 3 deletions

View File

@ -106,8 +106,18 @@ enum ndr_err_code ndr_push_dnsp_name(struct ndr_push *ndr, int ndr_flags, const
}
total_len = strlen(name) + 1;
/* cope with names ending in '.' */
if (name[strlen(name)-1] != '.') {
/*
* cope with names ending in '.'
*/
if (name[0] == '\0') {
/*
* Don't access name[-1] for the "" input, which has
* the same meaning as a lone '.'.
*
* This allows a round-trip of a dnsRecord from
* Windows of a MX record of '.'
*/
} else if (name[strlen(name)-1] != '.') {
total_len++;
count++;
}

View File

@ -1 +0,0 @@
^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_dnsp_DnssrvRpcRecord