1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/libcli/nbt
Joseph Sutton edad945339 librpc/nbt: Avoid reading invalid member of union
WACK packets use the ‘data’ member of the ‘nbt_rdata’ union, but they
claim to be a different type — NBT_QTYPE_NETBIOS — than would normally
be used with that union member. This means that if rr_type is equal to
NBT_QTYPE_NETBIOS, ndr_push_nbt_res_rec() has to guess which type the
structure really is by examining the data member. However, if the
structure is actually of a different type, that union member will not be
valid and accessing it will invoke undefined behaviour.

To fix this, eliminate all the guesswork and introduce a new type,
NBT_QTYPE_WACK, which can never appear on the wire, and which indicates
that although the ‘data’ union member should be used, the wire type is
actually NBT_QTYPE_NETBIOS.

This means that as far as NDR is concerned, the ‘netbios’ member of the
‘nbt_rdata’ union will consistently be used for all NBT_QTYPE_NETBIOS
structures; we shall no longer access the wrong member of the union.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38480

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15019

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jul  7 01:14:06 UTC 2023 on atb-devel-224
2023-07-07 01:14:06 +00:00
..
man docs: remove duplicate word "name" in nmblookup4 manpage. 2013-11-19 09:52:39 +01:00
tools nmblookup: don't ignore unknown options 2021-09-10 15:10:30 +00:00
libnbt.h libcli: nbt: Fix resolve_lmhosts_file_as_sockaddr() to return size_t * count of addresses. 2020-09-15 10:09:37 +00:00
lmhosts.c libcli: nbt: Fix resolve_lmhosts_file_as_sockaddr() to return size_t * count of addresses. 2020-09-15 10:09:37 +00:00
namequery.c libnbt: Add an explicit "mem_ctx" to name_request_send 2018-04-13 18:14:41 +02:00
namerefresh.c libnbt: Add an explicit "mem_ctx" to name_request_send 2018-04-13 18:14:41 +02:00
nameregister.c libnbt: Add an explicit "mem_ctx" to name_request_send 2018-04-13 18:14:41 +02:00
namerelease.c libnbt: Add an explicit "mem_ctx" to name_request_send 2018-04-13 18:14:41 +02:00
nbt_proto.h libnbt: Add an explicit "mem_ctx" to name_request_send 2018-04-13 18:14:41 +02:00
nbtname.c librpc/nbt: Avoid reading invalid member of union 2023-07-07 01:14:06 +00:00
nbtsocket.c lib: Remove idtree from samba_util.h 2023-01-10 00:28:37 +00:00
pynbt.c Fix clang 9 missing-field-initializer warnings 2020-05-08 09:31:31 +00:00
wscript_build libcli:nbt: Migrate nmblookup4 to new cmdline option parser 2021-06-20 23:26:32 +00:00