[jcifs] Infinite Loop Bug

Michael B Allen ioplex at gmail.com
Wed Aug 15 12:25:38 MDT 2012

On Mon, Aug 6, 2012 at 10:32 AM, Trent Wood <tilde35 at yahoo.com> wrote:
> When running on a Solaris UNIX server, I encountered an infinite loop. The problematic code is in the readRDataWireFormat method of jcifs.netbios.NameQueryResponse. This method returns zero for the "if( resultCode != 0 || opCode != QUERY )" condition. A result of zero causes the calling method (jcifs.netbios.NameServicePacket - readResourceRecordWireFormat) to loop indefinitely. When I changed that condition to throw an exception, everything works as expected.

Hey Golden Gopher,

I much prefer to fix things properly. Otherwise we just end up in a
game of whac-o-mole. Besides, if it's taken 12 years for this bug to
pop up I wouldn't dare touch this code without really knowing what
effect it would have.

If we sent a NAME SERVICE QUERY I will assume the reponse opCode is in
fact QUERY in which case the offending part of the condition must be
the resultCode != 0. But for readRDataWireFormat to be called,
rDataLength must be > 0 in which case we must decode what's in the
record. Then the message will be properly decoded and the resultCode
!= will trigger a proper meaningful exception.

The fix should probably be something like:

    223         addrEntry = new NbtAddress[rDataLength / 6];
    224         end = srcIndex + rDataLength;
    225 if (resultCode != 0) {
    226     srcIndex += rDataLength;
    227 } else {
    228         for( addrIndex = 0; srcIndex < end; addrIndex++ ) {
    229             srcIndex += readRDataWireFormat( src, srcIndex );
    230         }
    231 }
    233         return srcIndex - start;
    234     }

But I would need to actually see what's there. Ideally I would need to
see a packet capture.


Michael B Allen
Java Active Directory Integration

More information about the jCIFS mailing list