diff options
| author | Jeremy Allison <jra@samba.org> | 2018-11-12 11:37:31 -0800 |
|---|---|---|
| committer | David Disseldorp <ddiss@samba.org> | 2018-11-13 20:54:56 +0100 |
| commit | 3634e20c7603103b0f2e00e5b61cc63f905d780d (patch) | |
| tree | f1164c709cef9baf5c6e129b95afdc327fa88acc /source3 | |
| parent | 5a8583ed701be97c33a20b2a20f6bbb8ac2f8e99 (diff) | |
| download | samba-3634e20c7603103b0f2e00e5b61cc63f905d780d.tar.gz | |
s3: lib: nmbname: Ensure we limit the NetBIOS name correctly. CID: 1433607
Firstly, make the exit condition from the loop explicit (we must
never write into byte n, where n >= sizeof(name->name).
Secondly ensure exiting from the loop that n==MAX_NETBIOSNAME_LEN,
as this is the sign of a correct NetBIOS name encoding (RFC1002)
in order to properly read the NetBIOS name type (which is always
encoded in byte 16 == name->name[15]).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 13 20:54:56 CET 2018 on sn-devel-144
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/libsmb/nmblib.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c index ef6177e5209..727939575a7 100644 --- a/source3/libsmb/nmblib.c +++ b/source3/libsmb/nmblib.c @@ -207,25 +207,33 @@ static int parse_nmb_name(char *inbuf,int ofs,int length, struct nmb_name *name) unsigned char c1,c2; c1 = ubuf[offset++]-'A'; c2 = ubuf[offset++]-'A'; - if ((c1 & 0xF0) || (c2 & 0xF0) || (n > sizeof(name->name)-1)) + if ((c1 & 0xF0) || (c2 & 0xF0)) { return(0); + } + if (n >= sizeof(name->name)) { + return 0; + } name->name[n++] = (c1<<4) | c2; m -= 2; } - name->name[n] = 0; - - if (n==MAX_NETBIOSNAME_LEN) { - /* parse out the name type, its always - * in the 16th byte of the name */ - name->name_type = ((unsigned char)name->name[15]) & 0xff; - - /* remove trailing spaces */ - name->name[15] = 0; - n = 14; - while (n && name->name[n]==' ') - name->name[n--] = 0; + /* + * RFC1002: For a valid NetBIOS name, exiting from the above, + * n *must* be MAX_NETBIOSNAME_LEN (16). + */ + if (n != MAX_NETBIOSNAME_LEN) { + return 0; } + /* parse out the name type, its always + * in the 16th byte of the name */ + name->name_type = ((unsigned char)name->name[15]) & 0xff; + + /* remove trailing spaces */ + name->name[15] = 0; + n = 14; + while (n && name->name[n]==' ') + name->name[n--] = 0; + /* now the domain parts (if any) */ n = 0; while (ubuf[offset]) { |