[jcifs] Infinite Loop Bug
Michael B Allen
ioplex at gmail.com
Wed Aug 15 12:25:38 MDT 2012
On Mon, Aug 6, 2012 at 10:32 AM, Trent Wood <tilde35 at yahoo.com> wrote:
> When running on a Solaris UNIX server, I encountered an infinite loop. The problematic code is in the readRDataWireFormat method of jcifs.netbios.NameQueryResponse. This method returns zero for the "if( resultCode != 0 || opCode != QUERY )" condition. A result of zero causes the calling method (jcifs.netbios.NameServicePacket - readResourceRecordWireFormat) to loop indefinitely. When I changed that condition to throw an exception, everything works as expected.
Hey Golden Gopher,
I much prefer to fix things properly. Otherwise we just end up in a
game of whac-o-mole. Besides, if it's taken 12 years for this bug to
pop up I wouldn't dare touch this code without really knowing what
effect it would have.
If we sent a NAME SERVICE QUERY I will assume the reponse opCode is in
fact QUERY in which case the offending part of the condition must be
the resultCode != 0. But for readRDataWireFormat to be called,
rDataLength must be > 0 in which case we must decode what's in the
record. Then the message will be properly decoded and the resultCode
!= will trigger a proper meaningful exception.
The fix should probably be something like:
223 addrEntry = new NbtAddress[rDataLength / 6];
224 end = srcIndex + rDataLength;
225 if (resultCode != 0) {
226 srcIndex += rDataLength;
227 } else {
228 for( addrIndex = 0; srcIndex < end; addrIndex++ ) {
229 srcIndex += readRDataWireFormat( src, srcIndex );
230 }
231 }
232
233 return srcIndex - start;
234 }
But I would need to actually see what's there. Ideally I would need to
see a packet capture.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
More information about the jCIFS
mailing list