s3: smbd: Codenomicon crash in do_smb_load_module().

Inside api_pipe_bind_req() we look for a pipe module name using dcerpc_default_transport_endpoint(pkt, NCACN_NP, table) which returns NULL when given invalid pkt data from the Codenomicon fuzzer. This gets passed directly to smb_probe_module(), which then calls do_smb_load_module() which tries to deref the (NULL) module name. https://bugzilla.samba.org/show_bug.cgi?id=11342 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ira Cooper <ira@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104 (cherry picked from commit 5a82cc21379e3fe28441cd82647313c9390b41e7)
author: Jeremy Allison <jra@samba.org> 2015-06-18 10:21:07 -0700
committer: Karolin Seeger <kseeger@samba.org> 2015-06-30 02:06:28 +0200
commit: 290c1ae0ff8dc75fa06e5463d55987918ee3c999 (patch)
tree: 71a12a0ff78a6489e8f6b05140688c3e67eb3028
parent: 81dde5e1e3692b86d04084f1a5ca9c842172f7d3 (diff)
download: samba-290c1ae0ff8dc75fa06e5463d55987918ee3c999.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a0e16..1f00dd810ae 100644
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
 	char *full_path = NULL;
 	TALLOC_CTX *ctx = talloc_stackframe();
 
+	if (module_name == NULL) {
+		TALLOC_FREE(ctx);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	/* Check for absolute path */
 
 	DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));
author	Jeremy Allison <jra@samba.org>	2015-06-18 10:21:07 -0700
committer	Karolin Seeger <kseeger@samba.org>	2015-06-30 02:06:28 +0200
commit	290c1ae0ff8dc75fa06e5463d55987918ee3c999 (patch)
tree	71a12a0ff78a6489e8f6b05140688c3e67eb3028
parent	81dde5e1e3692b86d04084f1a5ca9c842172f7d3 (diff)
download	samba-290c1ae0ff8dc75fa06e5463d55987918ee3c999.tar.gz