s3: smbd: Codenomicon crash in do_smb_load_module().

Inside api_pipe_bind_req() we look for a pipe module name using dcerpc_default_transport_endpoint(pkt, NCACN_NP, table) which returns NULL when given invalid pkt data from the Codenomicon fuzzer. This gets passed directly to smb_probe_module(), which then calls do_smb_load_module() which tries to deref the (NULL) module name. https://bugzilla.samba.org/show_bug.cgi?id=11342 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ira Cooper <ira@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
author: Jeremy Allison <jra@samba.org> 2015-06-18 10:21:07 -0700
committer: Jeremy Allison <jra@samba.org> 2015-06-18 22:14:01 +0200
commit: 5a82cc21379e3fe28441cd82647313c9390b41e7 (patch)
tree: 83b2b5fe1da4a3ee6639c47443e7311997610e0a /lib
parent: 5deb8169fecef108b4f8010446398475ba8b46de (diff)
download: samba-5a82cc21379e3fe28441cd82647313c9390b41e7.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a0e16..1f00dd810ae 100644
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
 	char *full_path = NULL;
 	TALLOC_CTX *ctx = talloc_stackframe();
 
+	if (module_name == NULL) {
+		TALLOC_FREE(ctx);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	/* Check for absolute path */
 
 	DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));
author	Jeremy Allison <jra@samba.org>	2015-06-18 10:21:07 -0700
committer	Jeremy Allison <jra@samba.org>	2015-06-18 22:14:01 +0200
commit	5a82cc21379e3fe28441cd82647313c9390b41e7 (patch)
tree	83b2b5fe1da4a3ee6639c47443e7311997610e0a /lib
parent	5deb8169fecef108b4f8010446398475ba8b46de (diff)
download	samba-5a82cc21379e3fe28441cd82647313c9390b41e7.tar.gz