sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
a9b6a8378e
samba-mirror/librpc/ndr
History
Douglas Bagnall bf16cd72b2 ndr: fix ndr_pull_string_array() off by one alloc 
The correct line should have been

       talloc_realloc(ndr->current_mem_ctx, a, const char *, count + 2);

because if the loop does not increment count on exit (it exits via
break), so count is left pointing at the thing that just got put in.
i.e., if there was one item it is at a[0], count is 0, but we also
need the trailing NULL byte at a[1] and the length is 2. Thus + 2, not
+ 1.

This will not affect ordinary (that is, non-malicious) traffic,
because talloc_realloc will not actually realloc unless it is saving a
kilobyte. Since the allocation grows slowly with the exponent ~1.25,
the actual reallocs will start happening at some point between 512 and
1024 items.

In the example we have, there were 666 pointers, and space for 824 was
allocated.

Rather than doing the +2 realloc, it is simpler to leave it off
altogether; in the common case (<512 items) it is a no-op anyway, and
in the best possible case it reduces the temporary array by 20%.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24646

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-07 03:23:44 +00:00
..
libndr.h librpc ndr: add recursion check macros 2020-02-27 01:02:32 +00:00
ndr_auth.c
ndr_auth.h
ndr_backupkey.c librpc:ndr: Initialize inblob 2018-11-14 05:07:15 +01:00
ndr_backupkey.h
ndr_basic.c librpc:ndr: Use bytearray.h in ndr_basic.c 2020-02-21 02:09:33 +00:00
ndr_bkupblobs.c
ndr_cab.c librpc/ndr: Remove unused ndr_cab_generate_checksum() 2019-11-29 00:44:40 +00:00
ndr_cab.h librpc/ndr: Remove unused ndr_cab_generate_checksum() 2019-11-29 00:44:40 +00:00
ndr_compression.c librpc/ndr/ndr_compression.c: typo fixes 2019-10-31 00:43:36 +00:00
ndr_compression.h librpc/ndr: add helper functions to setup and free compression states. 2017-07-19 21:22:13 +02:00
ndr_dcerpc.c dcerpc.idl: set LIBNDR_FLAG_* flags based on DCERPC_PFC_FLAG_OBJECT_UUID and DCERPC_DREP_LE 2016-10-26 11:20:18 +02:00
ndr_dcerpc.h
ndr_dns_utils.c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
ndr_dns_utils.h CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
ndr_dns.c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
ndr_dns.h
ndr_dnsp.c librpc: Do not access name[-1] trying to push "" into a dnsp_name 2019-12-20 11:33:52 +00:00
ndr_dnsp.h CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function 2016-03-10 06:52:23 +01:00
ndr_dnsserver.c
ndr_dnsserver.h
ndr_drsblobs.c drsblobs.idl: supplementalCredentialsSubBlob make it possible to parse strange blobs 2016-07-20 21:27:17 +02:00
ndr_drsblobs.h
ndr_drsuapi.c librpc: Fix manually written printer for drsuapi_DsAttributeValue 2019-12-18 06:39:26 +00:00
ndr_drsuapi.h
ndr_frsrpc.c
ndr_frsrpc.h
ndr_ioctl.c
ndr_krb5pac.c krb5pac.idl: implement PAC_UPN_DNS_INFO correct 2016-07-20 21:27:18 +02:00
ndr_krb5pac.h krb5pac: no need for a noprint PAC_BUFFER. 2016-07-20 21:27:18 +02:00
ndr_misc.c ndr_misc: read syntax_id using strict util_str_hex functions 2018-05-31 01:57:16 +02:00
ndr_nbt.c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
ndr_nbt.h librpc/ndr: add ndr_print_netlogon_samlogon_response() 2019-09-26 18:41:26 +00:00
ndr_negoex.c negoex: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour 2019-12-12 02:30:40 +00:00
ndr_negoex.h build: Get rid of hardcoded 'bin/default' in includes 2019-02-08 08:51:19 +01:00
ndr_netlogon.c
ndr_netlogon.h
ndr_ntlmssp.c pidl: Add and use ndr_print_steal_switch_value(), removing ndr_print_get_switch_value() 2019-12-12 02:30:40 +00:00
ndr_ntlmssp.h librpc/ndr: add ndr_ntlmssp_find_av() helper function 2016-03-10 06:52:29 +01:00
ndr_ntprinting.c
ndr_ntprinting.h
ndr_orpc.c ndr_orpc: properly allocate empty DUALSTRINGARRAY 2019-11-20 04:41:28 +00:00
ndr_preg.c
ndr_preg.h
ndr_rap.c
ndr_rap.h
ndr_schannel.c pidl: Add and use ndr_print_steal_switch_value(), removing ndr_print_get_switch_value() 2019-12-12 02:30:40 +00:00
ndr_schannel.h
ndr_sec_helper.c librpc: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour 2019-12-12 02:30:40 +00:00
ndr_spoolss_buf.c librpc: pidlify spoolss_EnumPerMachineConnections 2020-01-08 23:51:31 +00:00
ndr_spoolss_buf.h librpc: pidlify spoolss_EnumPerMachineConnections 2020-01-08 23:51:31 +00:00
ndr_string.c ndr: fix ndr_pull_string_array() off by one alloc 2020-08-07 03:23:44 +00:00
ndr_svcctl.c
ndr_svcctl.h
ndr_table.c librpc: Do not return an NDR table for a zero GUID 2019-11-14 08:01:43 +00:00
ndr_table.h
ndr_witness.c
ndr_witness.h
ndr_wmi.c
ndr_wmi.h
ndr_xattr.c
ndr_xattr.h
ndr.c librpc ndr: add recursion check macros 2020-02-27 01:02:32 +00:00
util.c librpc:ndr: Implement ndr_zero_memory() 2019-02-14 15:59:25 +01:00
uuid.c ndr: Init variables of GUID_from_data_blob() 2018-10-19 23:11:26 +02:00