From a85d257c1ec3a4505f2a4fcbec0f7e1f60dbff91 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 20 Dec 2019 10:50:09 +1300 Subject: librpc: Do not access name[-1] trying to push "" into a dnsp_name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This simply matches the behaviour from before e7b1acaddf2ccc7de0301cc67f72187ab450e7b5 when the logic for a trailing . was added. This matches what is added in the dnsRecord attribute for a name of "." over the dnsserver RPC management interface and is based on what Windows does for that name in (eg) an MX record. No a security bug because we use talloc and so name will be just the end of the talloc header. Credit to OSS-Fuzz Found using the fuzz_ndr_X fuzzer Signed-off-by: Andrew Bartlett Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184 --- librpc/ndr/ndr_dnsp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'librpc') diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index 974ff5ebff2..d75c58fca37 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -106,8 +106,18 @@ enum ndr_err_code ndr_push_dnsp_name(struct ndr_push *ndr, int ndr_flags, const } total_len = strlen(name) + 1; - /* cope with names ending in '.' */ - if (name[strlen(name)-1] != '.') { + /* + * cope with names ending in '.' + */ + if (name[0] == '\0') { + /* + * Don't access name[-1] for the "" input, which has + * the same meaning as a lone '.'. + * + * This allows a round-trip of a dnsRecord from + * Windows of a MX record of '.' + */ + } else if (name[strlen(name)-1] != '.') { total_len++; count++; } -- cgit v1.2.1