diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-06-24 14:27:08 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-07-02 10:26:24 +0000 |
| commit | 3cc0f1eeda5f133532dda31eef9fc1b394127e50 (patch) | |
| tree | f95b203076efa5f76c6c8d38a6364c7d2bf3ed7e /libcli | |
| parent | b232a7bc546f8e6fdb638164a8411772e67c8864 (diff) | |
| download | samba-3cc0f1eeda5f133532dda31eef9fc1b394127e50.tar.gz | |
CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jul 2 10:26:24 UTC 2020 on sn-devel-184
Diffstat (limited to 'libcli')
| -rw-r--r-- | libcli/nbt/nbtsocket.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c index f682b233fd1..97b0ca34337 100644 --- a/libcli/nbt/nbtsocket.c +++ b/libcli/nbt/nbtsocket.c @@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) return; } + /* + * Given a zero length, data_blob_talloc() returns the + * NULL blob {NULL, 0}. + * + * We only want to error return here on a real out of memory condition + * (i.e. dsize != 0, so the UDP packet has data, but the return of the + * allocation failed, so blob.data==NULL). + * + * Given an actual zero length UDP packet having blob.data == NULL + * isn't an out of memory error condition, that's the defined semantics + * of data_blob_talloc() when asked for zero bytes. + * + * We still need to continue to do the zero-length socket_recvfrom() + * read in order to clear the "read pending" condition on the socket. + */ blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { + if (blob.data == NULL && dsize != 0) { talloc_free(tmp_ctx); return; } |