Bug in parse_nmb_name()?
Guy G. Sotomayor, Jr.
ggs at shiresoft.com
Tue Nov 17 02:32:29 GMT 1998
I've been looking at parse_nmb_name() in libsmb/nmblib.c and have either
found a bug or don't understand how the code works (take your pick). It
has to do with picking up the scope part of the NetBIOS name and name
pointers.
The code in question:
while ((m=ubuf[offset])) {
/* we can have pointers within the domain part as well */
if (!handle_name_ptrs(ubuf,&offset,length&got_pointer,&ret)) return(0);
if (!got_pointer) ret += m+1;
if (n) name->scope[n++] = '.';
if (m+2+offset>length || n+m+1>sizeof(name->scope)) return(0);
.
.
.
The problem is that if at the "while", if the scope is a name pointer,
'm' will have 0xC0 + bits. 'm' is never reloaded from offset to get
the length of the name component.
If a NetBIOS name has a scope *and* has a name pointer in the scope part of
the name, it seems that the parse function will *always* reject it. It this
true or am I confused?
I think the following code does not have this problem:
while (ubuf[offset]) {
/* we can have pointers within the domain part as well */
if (!handle_name_ptrs(ubuf,&offset,length&got_pointer,&ret)) return(0);
m=ubuf[offset];
if (!got_pointer) ret += m+1;
if (n) name->scope[n++] = '.';
if (m+2+offset>length || n+m+1>sizeof(name->scope)) return(0);
.
.
.
BTW this is in the 1.9.18p10 code and the 2.0.0beta1 code (the two I checked).
TTFN - Guy
More information about the samba-technical
mailing list