The Samba-Bugzilla – Attachment 15718 Details for
Bug 14219
[FUZZING] Heap-buffer-overflow in ndr_string_length()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.10
v4-10-test.patch (text/plain), 2.60 KB, created by
Andreas Schneider
on 2019-12-20 10:23:51 UTC
(
hide
)
Description:
patch for 4.10
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2019-12-20 10:23:51 UTC
Size:
2.60 KB
patch
obsolete
>From 693a4a643936189503bd862d9010f0188c4cec6e Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 16 Dec 2019 15:50:17 +0100 >Subject: [PATCH] librpc: Fix string length checking in > ndr_pull_charset_to_null() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14219 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit f11e207e01c52566c47e350ff240fe95392de0c3) >--- > librpc/ndr/ndr_string.c | 49 +++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 47 insertions(+), 2 deletions(-) > >diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c >index cc3508616bb..7130726e341 100644 >--- a/librpc/ndr/ndr_string.c >+++ b/librpc/ndr/ndr_string.c >@@ -553,6 +553,47 @@ _PUBLIC_ uint32_t ndr_string_length(const void *_var, uint32_t element_size) > return i+1; > } > >+/** >+ * @brief Get the string length including the null terminator if available. >+ * >+ * This checks the string length based on the elements. The returned number >+ * includes the terminating null byte(s) if found. >+ * >+ * @param[in] _var The string the calculate the length for. >+ * >+ * @param[in] length The length of the buffer passed by _var. >+ * >+ * @param[in] element_size The element_size of a string char in bytes. >+ * >+ * @return The length of the strings or 0. >+ */ >+static uint32_t ndr_string_n_length(const void *_var, >+ size_t length, >+ uint32_t element_size) >+{ >+ size_t i = 0; >+ uint8_t zero[4] = {0,0,0,0}; >+ const char *var = (const char *)_var; >+ int cmp; >+ >+ if (element_size > 4) { >+ return 0; >+ } >+ >+ for (i = 0; i < length; i++, var += element_size) { >+ cmp = memcmp(var, zero, element_size); >+ if (cmp == 0) { >+ break; >+ } >+ } >+ >+ if (i == length) { >+ return length; >+ } >+ >+ return i + 1; >+} >+ > _PUBLIC_ enum ndr_err_code ndr_check_string_terminator(struct ndr_pull *ndr, uint32_t count, uint32_t element_size) > { > uint32_t i; >@@ -622,8 +663,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int nd > > NDR_PULL_NEED_BYTES(ndr, length*byte_mul); > >- str_len = ndr_string_length(ndr->data+ndr->offset, byte_mul); >- str_len = MIN(str_len, length); /* overrun protection */ >+ str_len = ndr_string_n_length(ndr->data+ndr->offset, length, byte_mul); >+ if (str_len == 0) { >+ return ndr_pull_error(ndr, NDR_ERR_LENGTH, >+ "Invalid length"); >+ } >+ > if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX, > ndr->data+ndr->offset, str_len*byte_mul, > discard_const_p(void *, var), >-- >2.24.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15718">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14219
:
15690
|
15717
| 15718