diff options
author | Jeremy Allison <jra@samba.org> | 2018-11-12 11:37:31 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-02-01 11:32:46 +0100 |
commit | 8932a4a161f2647057e1fe815562354e0a12ccbd (patch) | |
tree | 25b93d886999926cbe751d227f5dd5b82d48eddd /source3 | |
parent | 129423d36572edf48a6931a0e5dab4a8e1acc05e (diff) | |
download | samba-8932a4a161f2647057e1fe815562354e0a12ccbd.tar.gz |
s3: lib: nmbname: Ensure we limit the NetBIOS name correctly. CID: 1433607
Firstly, make the exit condition from the loop explicit (we must
never write into byte n, where n >= sizeof(name->name).
Secondly ensure exiting from the loop that n==MAX_NETBIOSNAME_LEN,
as this is the sign of a correct NetBIOS name encoding (RFC1002)
in order to properly read the NetBIOS name type (which is always
encoded in byte 16 == name->name[15]).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11495
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 13 20:54:56 CET 2018 on sn-devel-144
(cherry picked from commit 3634e20c7603103b0f2e00e5b61cc63f905d780d)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libsmb/nmblib.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index 8feb029b05e..7b75c3de065 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -207,25 +207,33 @@ static int parse_nmb_name(char *inbuf,int ofs,int length, struct nmb_name *name) unsigned char c1,c2; c1 = ubuf[offset++]-'A'; c2 = ubuf[offset++]-'A'; - if ((c1 & 0xF0) || (c2 & 0xF0) || (n > sizeof(name->name)-1)) + if ((c1 & 0xF0) || (c2 & 0xF0)) { return(0); + } + if (n >= sizeof(name->name)) { + return 0; + } name->name[n++] = (c1<<4) | c2; m -= 2; } - name->name[n] = 0; - - if (n==MAX_NETBIOSNAME_LEN) { - /* parse out the name type, its always - * in the 16th byte of the name */ - name->name_type = ((unsigned char)name->name[15]) & 0xff; - - /* remove trailing spaces */ - name->name[15] = 0; - n = 14; - while (n && name->name[n]==' ') - name->name[n--] = 0; + /* + * RFC1002: For a valid NetBIOS name, exiting from the above, + * n *must* be MAX_NETBIOSNAME_LEN (16). + */ + if (n != MAX_NETBIOSNAME_LEN) { + return 0; } + /* parse out the name type, its always + * in the 16th byte of the name */ + name->name_type = ((unsigned char)name->name[15]) & 0xff; + + /* remove trailing spaces */ + name->name[15] = 0; + n = 14; + while (n && name->name[n]==' ') + name->name[n--] = 0; + /* now the domain parts (if any) */ n = 0; while (ubuf[offset]) { |