diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2020-01-19 15:08:58 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-03-18 16:19:59 +0000 |
commit | 1bca64560307cd365a516b5d1ffc87333629c4e9 (patch) | |
tree | c83af51bd5e475c02eef0c68b0242943e7c26dd9 | |
parent | 43b343786e36cc440df993ae78d241f2fbea1ac1 (diff) | |
download | samba-1bca64560307cd365a516b5d1ffc87333629c4e9.tar.gz |
nmblib: avoid undefined behaviour in handle_name_ptrs()
If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower
bits of the new *offset. This value is undefined, but because it is
checked against the valid range, there is no way to read further
beyond that one byte.
Credit to oss-fuzz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14242
OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20193
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 7 10:19:39 UTC 2020 on sn-devel-184
(cherry picked from commit 3bc7acc62646b105b03fd3c65e9170a373f95392)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Mar 18 16:19:59 UTC 2020 on sn-devel-144
-rw-r--r-- | source3/libsmb/nmblib.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index 0681450bae2..8d387fe8120 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -160,6 +160,9 @@ static bool handle_name_ptrs(unsigned char *ubuf,int *offset,int length, if (!*got_pointer) (*ret) += 2; (*got_pointer)=True; + if (*offset > length - 2) { + return False; + } (*offset) = ((ubuf[*offset] & ~0xC0)<<8) | ubuf[(*offset)+1]; if (loop_count++ == 10 || (*offset) < 0 || (*offset)>(length-2)) { |