sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-24 10:50:22 +03:00
Code

librpc: Avoid spinning on string_array elements with a short input

Browse Source 
Without this protection we will spin during decode of a string_array or nstring_array
that is terminated by only a single NUL byte, not two as required by UTF-16.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2019-11-07 14:19:24 +13:00
parent bf8063e369
commit d15a3797c7
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
librpc/ndr/ndr_string.c
View File

@ -118,9 +118,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_string(struct ndr_pull *ndr, int ndr_flags,
break;
case LIBNDR_FLAG_STR_NULLTERM:
/*
* We ensure that conv_str_len cannot return 0 by
* requring that there be enough bytes for at least
* the NULL terminator
*/
if (byte_mul == 1) {
NDR_PULL_NEED_BYTES(ndr, 1);
conv_src_len = ascii_len_n((const char *)(ndr->data+ndr->offset), ndr->data_size - ndr->offset);
} else {
NDR_PULL_NEED_BYTES(ndr, 2);
conv_src_len = utf16_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
}
byte_mul = 1; /* the length is now absolute */

3
selftest/knownfail.d/bug-13874
View File

@ -1,3 +0,0 @@
^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\)
^librpc.ndr.ndr_string.test_pull_string_zero_len_nul_term\(none\)
^librpc.ndr.ndr_string.test_pull_string_len_1_nul_term\(none\)