[SCM] Samba Shared Repository - branch master updated
Gary Lockyer
gary at samba.org
Thu Dec 6 07:49:07 UTC 2018
The branch, master has been updated
via d9e95849e3e librpc:ndr: Fix undefined behavior in ndr_basic
from 9aad13cbad0 WHATSNEW: document changes in SMB server parametric options
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d9e95849e3e09fd4dc40cf9c82030b033117ae98
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 22 15:15:03 2018 +0100
librpc:ndr: Fix undefined behavior in ndr_basic
librpc/ndr/ndr_basic.c:723:2: runtime error: null pointer passed as
argument 2, which is declared to never be null
The following triggered the undefined behavior:
(gdb) bt
at librpc/gen_ndr/ndr_drsuapi.c:2318
fn=0x7ffff6e72983 <ndr_push_drsuapi_DsReplicaObjectIdentifier3Binary>) at ../../librpc/ndr/ndr.c:1337
at ../../source4/dsdb/schema/schema_syntax.c:2136
drs_str=<optimized out>) at ../../source4/dsdb/schema/tests/schema_syntax.c:122
already_setup=<optimized out>, restricted=restricted at entry=0x0) at ../../lib/torture/torture.c:442
at ../../lib/torture/torture.c:507
suite=0x5555563d9490, matched=0x7fffffffcef7) at ../../source4/torture/smbtorture.c:93
matched=0x7fffffffcef7) at ../../source4/torture/smbtorture.c:95
at ../../source4/torture/smbtorture.c:143
(gdb) f 1
1335 NDR_CHECK(ndr_push_bytes(ndr, blob.data, blob.length));
(gdb) p blob
$2 = {data = 0x0, length = 0}
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Thu Dec 6 08:48:28 CET 2018 on sn-devel-144
-----------------------------------------------------------------------
Summary of changes:
librpc/ndr/ndr_basic.c | 10 ++++++++++
1 file changed, 10 insertions(+)
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c
index c874f340388..b488c7c22d9 100644
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -719,6 +719,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_trailer_align(struct ndr_pull *ndr, size_t s
*/
_PUBLIC_ enum ndr_err_code ndr_push_bytes(struct ndr_push *ndr, const uint8_t *data, uint32_t n)
{
+ if (n == 0) {
+ return NDR_ERR_SUCCESS;
+ }
+ if (data == NULL) {
+ return NDR_ERR_INVALID_POINTER;
+ }
NDR_PUSH_NEED_BYTES(ndr, n);
memcpy(ndr->data + ndr->offset, data, n);
ndr->offset += n;
@@ -1329,6 +1335,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_DATA_BLOB(struct ndr_push *ndr, int ndr_flag
} else {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, blob.length));
}
+ if (blob.length == 0) {
+ return NDR_ERR_SUCCESS;
+ }
+
NDR_CHECK(ndr_push_bytes(ndr, blob.data, blob.length));
return NDR_ERR_SUCCESS;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list