1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3:mdssvc: marshalling: fix unpacking empty filemeta structure

This is how a correct dump of an empty sl_filemeta_t container should look like:

DALLOC_CTX(#1): {
	sl_array_t(#3): {
		uint64_t: 0x0023
		CNIDs: unkn1: 0x0, unkn2: 0x0
			DALLOC_CTX(#0): {
			}
		sl_filemeta_t(#0): {
		}
	}
}

This is basically the response from macOS mdssvc for a query that yields no
results: sl_filemeta_t is empty, the CNIDs array as well.

Looking at the raw packet data, the empty sl_filemeta_t container as a size of 8
bytes which fails the following check in sl_unpack_cpx():

        case SQ_CPX_TYPE_FILEMETA:
                ...
		if (tag.size < 16) {
		        *boom*
                }

Only tag.size=0 is invalid, tag.size=8 denotes an empty container and tag.size>=16
denotes a sl_filemeta_t container with actual content must be unpacked by
calling sl_unpack(). Note that size is always a muliple of 8.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Ralph Boehme 2019-05-03 22:52:56 +02:00 committed by Jeremy Allison
parent ed37f2d3c4
commit d67c98184a

View File

@ -1005,7 +1005,7 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query,
if (offset == -1) {
return -1;
}
if (tag.size < 16) {
if (tag.size < 8) {
DBG_WARNING("size too mall: %zu\n", tag.size);
return -1;
}
@ -1014,9 +1014,14 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query,
if (sl_fm == NULL) {
return -1;
}
result = sl_unpack(sl_fm, buf + offset, bufsize - offset );
if (result == -1) {
return -1;
if (tag.size >= 16) {
result = sl_unpack(sl_fm,
buf + offset,
bufsize - offset );
if (result == -1) {
return -1;
}
}
result = dalloc_add(query, sl_fm, sl_filemeta_t);
if (result != 0) {