mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
edad945339
WACK packets use the ‘data’ member of the ‘nbt_rdata’ union, but they claim to be a different type — NBT_QTYPE_NETBIOS — than would normally be used with that union member. This means that if rr_type is equal to NBT_QTYPE_NETBIOS, ndr_push_nbt_res_rec() has to guess which type the structure really is by examining the data member. However, if the structure is actually of a different type, that union member will not be valid and accessing it will invoke undefined behaviour. To fix this, eliminate all the guesswork and introduce a new type, NBT_QTYPE_WACK, which can never appear on the wire, and which indicates that although the ‘data’ union member should be used, the wire type is actually NBT_QTYPE_NETBIOS. This means that as far as NDR is concerned, the ‘netbios’ member of the ‘nbt_rdata’ union will consistently be used for all NBT_QTYPE_NETBIOS structures; we shall no longer access the wrong member of the union. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38480 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15019 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Fri Jul 7 01:14:06 UTC 2023 on atb-devel-224 |
||
---|---|---|
.. | ||
atsvc.idl | ||
audiosrv.idl | ||
auth.idl | ||
backupkey.idl | ||
bkupblobs.idl | ||
browser.idl | ||
cab.idl | ||
claims.idl | ||
clusapi.idl | ||
dbgidl.idl | ||
dcerpc.idl | ||
dcom.idl | ||
dfs.idl | ||
dfsblobs.idl | ||
dns.idl | ||
dnsp.idl | ||
dnsserver.idl | ||
drsblobs.idl | ||
drsuapi.idl | ||
dsbackup.idl | ||
dssetup.idl | ||
echo.idl | ||
efs.idl | ||
epmapper.idl | ||
eventlog6.idl | ||
eventlog.idl | ||
file_id.idl | ||
frsapi.idl | ||
frsrpc.idl | ||
frstrans.idl | ||
fscc.idl | ||
fsrvp_state.idl | ||
fsrvp.idl | ||
IDL_LICENSE.txt | ||
idl_types.h | ||
idmap.idl | ||
initshutdown.idl | ||
ioctl.idl | ||
keysvc.idl | ||
krb5ccache.idl | ||
krb5pac.idl | ||
lsa.idl | ||
mdssvc.idl | ||
messaging.idl | ||
mgmt.idl | ||
misc.idl | ||
msgsvc.idl | ||
named_pipe_auth.idl | ||
nbt.idl | ||
negoex.idl | ||
netlogon.idl | ||
nfs4acl.idl | ||
notify.idl | ||
ntlmssp.idl | ||
ntprinting.idl | ||
ntsvcs.idl | ||
ODJ.idl | ||
orpc.idl | ||
oxidresolver.idl | ||
policyagent.idl | ||
preg.idl | ||
printcap.idl | ||
quota.idl | ||
rap.idl | ||
remact.idl | ||
rot.idl | ||
samr.idl | ||
scerpc.idl | ||
schannel.idl | ||
security.cnf | ||
security.idl | ||
server_id.idl | ||
smb2_lease_struct.idl | ||
smb_acl.idl | ||
spoolss.idl | ||
srvsvc.idl | ||
svcctl.idl | ||
trkwks.idl | ||
unixinfo.idl | ||
w32time.idl | ||
winbind.idl | ||
windows_event_ids.idl | ||
winreg.cnf | ||
winreg.idl | ||
winspool.idl | ||
winstation.idl | ||
witness.idl | ||
wkssvc.idl | ||
wmi.idl | ||
wscript_build | ||
wzcsvc.idl | ||
xattr.idl |