Bug 15019 - NBT parsing depends on uninitialised memory
Summary: NBT parsing depends on uninitialised memory
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Reported: 2022-03-16 21:21 UTC by Douglas Bagnall
Modified: 2023-07-21 23:13 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2022-03-16 21:21:54 UTC
In ndr_push_nbt_res_rec() in libcli/nbt/nbtname.c we go lke this:

    NDR_CHECK(ndr_push_set_switch_value(ndr, &r->rdata, ((((r->rr_type) == NBT_QTYPE_NETBIOS) && ((r->rdata).data.length == 2))?0:r->rr_type)));

    NDR_CHECK(ndr_push_nbt_rdata(ndr, NDR_SCALARS, &r->rdata));

The first line is trying to determine whether this is really a WACK packet (it has other bugs we'll ignore here) by peeking into r->rdata.data.length.

The trouble is we don't set r->rdata until the next line.

We don't notice it in fuzzing because the push is overwriting the same memory that we pulled from, so 

It was briefly an IDL macro, then moved here with dce310ef4ec2eedb496e814cf341ad7caab821af.
Comment 1 Douglas Bagnall 2022-03-16 21:25:12 UTC
What we really need is to look at the opcode to see if it's WACK, but by the time we get here we've forgotten that. 

It seems PIDL isn't really up to the task here, and we need to turn a whole lot more of NBT stack into manually maintained code.
Comment 4 Samba QA Contact 2023-07-07 01:15:12 UTC
This bug was referenced in samba master: