The Samba-Bugzilla – Attachment 15810 Details for
Bug 14242
[FUZZ] nmblib handle_name_ptrs reading beyond the buffer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for Samba 4.11 (cherry-picked from master patch)
0001-nmblib-avoid-undefined-behaviour-in-handle_name_ptrs.patch (text/plain), 1.53 KB, created by
Andrew Bartlett
on 2020-02-21 00:24:14 UTC
(
hide
)
Description:
patch for Samba 4.11 (cherry-picked from master patch)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-02-21 00:24:14 UTC
Size:
1.53 KB
patch
obsolete
>From f90fa9bf1d6aed4c201ae16ac08fd064f791c546 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Sun, 19 Jan 2020 15:08:58 +1300 >Subject: [PATCH] nmblib: avoid undefined behaviour in handle_name_ptrs() > >If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower >bits of the new *offset. This value is undefined, but because it is >checked against the valid range, there is no way to read further >beyond that one byte. > >Credit to oss-fuzz. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14242 >OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20193 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri Feb 7 10:19:39 UTC 2020 on sn-devel-184 > >(cherry picked from commit 3bc7acc62646b105b03fd3c65e9170a373f95392) >--- > source3/libsmb/nmblib.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c >index 0681450bae2..8d387fe8120 100644 >--- a/source3/libsmb/nmblib.c >+++ b/source3/libsmb/nmblib.c >@@ -160,6 +160,9 @@ static bool handle_name_ptrs(unsigned char *ubuf,int *offset,int length, > if (!*got_pointer) > (*ret) += 2; > (*got_pointer)=True; >+ if (*offset > length - 2) { >+ return False; >+ } > (*offset) = ((ubuf[*offset] & ~0xC0)<<8) | ubuf[(*offset)+1]; > if (loop_count++ == 10 || > (*offset) < 0 || (*offset)>(length-2)) { >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 14242
:
15743
|
15809
| 15810 |
15811