1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/librpc/idl
Joseph Sutton edad945339 librpc/nbt: Avoid reading invalid member of union
WACK packets use the ‘data’ member of the ‘nbt_rdata’ union, but they
claim to be a different type — NBT_QTYPE_NETBIOS — than would normally
be used with that union member. This means that if rr_type is equal to
NBT_QTYPE_NETBIOS, ndr_push_nbt_res_rec() has to guess which type the
structure really is by examining the data member. However, if the
structure is actually of a different type, that union member will not be
valid and accessing it will invoke undefined behaviour.

To fix this, eliminate all the guesswork and introduce a new type,
NBT_QTYPE_WACK, which can never appear on the wire, and which indicates
that although the ‘data’ union member should be used, the wire type is
actually NBT_QTYPE_NETBIOS.

This means that as far as NDR is concerned, the ‘netbios’ member of the
‘nbt_rdata’ union will consistently be used for all NBT_QTYPE_NETBIOS
structures; we shall no longer access the wrong member of the union.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38480

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15019

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jul  7 01:14:06 UTC 2023 on atb-devel-224
2023-07-07 01:14:06 +00:00
..
atsvc.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
audiosrv.idl
auth.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
backupkey.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
bkupblobs.idl librpc: Match interface name and file name for bkupblobs.idl 2019-11-13 00:32:36 +00:00
browser.idl
cab.idl librpc: Make CFDATA private to cab.idl and remove pull and push functions 2019-11-29 00:44:40 +00:00
claims.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
clusapi.idl librpc: add clusapi_GroupSetControlCode enum 2020-01-16 21:34:27 +00:00
dbgidl.idl
dcerpc.idl
dcom.idl
dfs.idl
dfsblobs.idl
dns.idl dns.idl/dnsp.idl: add missing DNS ressource record types 2022-02-16 20:43:55 +00:00
dnsp.idl dns.idl/dnsp.idl: add missing DNS ressource record types 2022-02-16 20:43:55 +00:00
dnsserver.idl rpc/idl dnsserver s/DNS_RPC_DATA/DNS_RPC_RECORD_DATA/ 2021-03-30 00:20:53 +00:00
drsblobs.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
drsuapi.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
dsbackup.idl
dssetup.idl
echo.idl
efs.idl
epmapper.idl
eventlog6.idl
eventlog.idl
file_id.idl
frsapi.idl
frsrpc.idl
frstrans.idl
fscc.idl
fsrvp_state.idl
fsrvp.idl
IDL_LICENSE.txt claims.idl: Add claim type definitions 2022-09-09 00:14:38 +00:00
idl_types.h
idmap.idl winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE 2020-10-23 03:25:37 +00:00
initshutdown.idl
ioctl.idl idl: declare token array of storage_offload_token as in-line 2021-10-08 19:28:32 +00:00
keysvc.idl
krb5ccache.idl krb5ccache.idl: Add definition for a Kerberos credentials cache 2021-05-19 01:32:34 +00:00
krb5pac.idl librpc/idl: Explain why PAC_TYPE_CLIENT_CLAIMS_INFO is not directly decoded 2023-03-31 01:48:30 +00:00
lsa.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
mdssvc.idl mdssvc.idl: pass policy_handle as pointer 2019-10-09 15:52:55 +00:00
messaging.idl smbd: Remove source3/smbd/statcache.c 2022-12-14 22:54:29 +00:00
mgmt.idl idl: Fix whitespace 2022-11-22 18:27:33 +00:00
misc.idl selftest: Test fix for ndrdump of structures by number 2019-11-17 22:28:41 +00:00
msgsvc.idl
named_pipe_auth.idl rpc: Remove named_pipe_auth_req_info6->need_idle_server 2023-05-16 10:53:40 +00:00
nbt.idl librpc/nbt: Avoid reading invalid member of union 2023-07-07 01:14:06 +00:00
negoex.idl
netlogon.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
nfs4acl.idl
notify.idl notify: Remove an unused structure definition 2020-10-24 05:57:31 +00:00
ntlmssp.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
ntprinting.idl
ntsvcs.idl
ODJ.idl librpc: make sure the 4 byte _pad in ODJ_WIN7BLOB is never 0 2021-07-14 16:49:29 +00:00
orpc.idl
oxidresolver.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
policyagent.idl
preg.idl
printcap.idl
quota.idl librpc: Fix typo in "quota" name in IDL 2019-11-13 00:32:36 +00:00
rap.idl
remact.idl
rot.idl
samr.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
scerpc.idl
schannel.idl
security.cnf
security.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
server_id.idl
smb2_lease_struct.idl
smb_acl.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
spoolss.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
srvsvc.idl
svcctl.idl librpc: fix IDL for svcctl_ChangeServiceConfigW 2020-03-09 15:00:31 +00:00
trkwks.idl
unixinfo.idl
w32time.idl
winbind.idl s3:winbind: Add wbint_LookupAliasMembers to winbind interface 2023-06-13 12:15:32 +00:00
windows_event_ids.idl librpc/idl: Add authentication policy event IDs 2023-06-14 22:57:35 +00:00
winreg.cnf
winreg.idl
winspool.idl
winstation.idl librpc: Move winstation.idl to the top level and exclude from fuzzing 2019-12-18 08:05:05 +00:00
witness.idl witness.idl: fix length calculation for witness_IPaddrInfoList 2021-07-08 09:30:40 +00:00
wkssvc.idl
wmi.idl
wscript_build librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00
wzcsvc.idl
xattr.idl librpc:idl: Fix code spelling 2023-06-23 13:44:31 +00:00