[SCM] Samba Shared Repository - branch v4-10-test updated
Karolin Seeger
kseeger at samba.org
Wed Mar 18 16:21:03 UTC 2020
The branch, v4-10-test has been updated
via 1bca6456030 nmblib: avoid undefined behaviour in handle_name_ptrs()
from 43b343786e3 selftest: Export DC conf path for special cases
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit 1bca64560307cd365a516b5d1ffc87333629c4e9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Jan 19 15:08:58 2020 +1300
nmblib: avoid undefined behaviour in handle_name_ptrs()
If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower
bits of the new *offset. This value is undefined, but because it is
checked against the valid range, there is no way to read further
beyond that one byte.
Credit to oss-fuzz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14242
OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20193
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Feb 7 10:19:39 UTC 2020 on sn-devel-184
(cherry picked from commit 3bc7acc62646b105b03fd3c65e9170a373f95392)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Wed Mar 18 16:19:59 UTC 2020 on sn-devel-144
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/nmblib.c | 3 +++
1 file changed, 3 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 0681450bae2..8d387fe8120 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -160,6 +160,9 @@ static bool handle_name_ptrs(unsigned char *ubuf,int *offset,int length,
if (!*got_pointer)
(*ret) += 2;
(*got_pointer)=True;
+ if (*offset > length - 2) {
+ return False;
+ }
(*offset) = ((ubuf[*offset] & ~0xC0)<<8) | ubuf[(*offset)+1];
if (loop_count++ == 10 ||
(*offset) < 0 || (*offset)>(length-2)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list