diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2019-12-20 10:50:09 +1300 |
|---|---|---|
| committer | Ralph Boehme <slow@samba.org> | 2019-12-20 11:33:52 +0000 |
| commit | a85d257c1ec3a4505f2a4fcbec0f7e1f60dbff91 (patch) | |
| tree | 4940c4ea2ef423028f585a6cbb26d570f02097d8 /librpc | |
| parent | 16557e4480a7502d45186854546d502479be156f (diff) | |
| download | samba-a85d257c1ec3a4505f2a4fcbec0f7e1f60dbff91.tar.gz | |
librpc: Do not access name[-1] trying to push "" into a dnsp_name
This simply matches the behaviour from before e7b1acaddf2ccc7de0301cc67f72187ab450e7b5
when the logic for a trailing . was added. This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.
No a security bug because we use talloc and so name will be just the
end of the talloc header.
Credit to OSS-Fuzz
Found using the fuzz_ndr_X fuzzer
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
Diffstat (limited to 'librpc')
| -rw-r--r-- | librpc/ndr/ndr_dnsp.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index 974ff5ebff2..d75c58fca37 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -106,8 +106,18 @@ enum ndr_err_code ndr_push_dnsp_name(struct ndr_push *ndr, int ndr_flags, const } total_len = strlen(name) + 1; - /* cope with names ending in '.' */ - if (name[strlen(name)-1] != '.') { + /* + * cope with names ending in '.' + */ + if (name[0] == '\0') { + /* + * Don't access name[-1] for the "" input, which has + * the same meaning as a lone '.'. + * + * This allows a round-trip of a dnsRecord from + * Windows of a MX record of '.' + */ + } else if (name[strlen(name)-1] != '.') { total_len++; count++; } |