From 9d2d3bb16f2cf803a599c449c07ec5fa65fd8b1e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 11 May 2020 12:23:49 -0700 Subject: [PATCH 1/3] s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. Can happen if namelen == 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison --- source3/libsmb/cli_smb2_fnum.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index d29341c1708..0622a05a655 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -1269,6 +1269,12 @@ static NTSTATUS parse_finfo_id_both_directory_info(uint8_t *dir_data, /* Bad conversion. */ return NT_STATUS_INVALID_NETWORK_RESPONSE; } + + if (finfo->name == NULL) { + /* Bad conversion. */ + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + return NT_STATUS_OK; } -- 2.20.1 From bd7023d3e16af043feadb0056922158cb1c78cad Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 11 May 2020 12:34:10 -0700 Subject: [PATCH 2/3] s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename. Can happen if namelen == 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison --- source3/libsmb/clilist.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index f868e72a239..28449dec81c 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -552,7 +552,10 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, TALLOC_FREE(finfo); return NT_STATUS_NO_MEMORY; } - + if (finfo->name == NULL) { + TALLOC_FREE(finfo); + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } status = is_bad_finfo_name(state->cli, finfo); if (!NT_STATUS_IS_OK(status)) { smbXcli_conn_disconnect(state->cli->conn, status); -- 2.20.1 From c6ce410dea3e65ef8bcda5b26901111c8c1d1c4a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 11 May 2020 12:37:08 -0700 Subject: [PATCH 3/3] s3: libsmbclient: Finish unifing behavior across SMB NT1 protocol. On bad name conversion, exit the directory listing with an error, but leave the connection intact. We were already checking for finfo->name == NULL here, but were ignoring it and not reporting an error. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374 Signed-off-by: Jeremy Allison --- source3/libsmb/clilist.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index 28449dec81c..f9444bc401c 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -794,8 +794,9 @@ static void cli_list_trans_done(struct tevent_req *subreq) if (finfo->name == NULL) { DEBUG(1, ("cli_list: Error: unable to parse name from " "info level %d\n", state->info_level)); - ff_eos = true; - break; + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; } status = is_bad_finfo_name(state->cli, finfo); -- 2.20.1