15019 – NBT parsing depends on uninitialised memory

Bug 15019 - NBT parsing depends on uninitialised memory

Summary: NBT parsing depends on uninitialised memory

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jo Sutton
QA Contact:	Samba QA Contact

URL:	https://bugs.chromium.org/p/oss-fuzz/...
Keywords:

Depends on:
Blocks:

Reported:	2022-03-16 21:21 UTC by Douglas Bagnall
Modified:	2023-07-21 23:13 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Douglas Bagnall 2022-03-16 21:21:54 UTC

In ndr_push_nbt_res_rec() in libcli/nbt/nbtname.c we go lke this:

    NDR_CHECK(ndr_push_set_switch_value(ndr, &r->rdata, ((((r->rr_type) == NBT_QTYPE_NETBIOS) && ((r->rdata).data.length == 2))?0:r->rr_type)));

    NDR_CHECK(ndr_push_nbt_rdata(ndr, NDR_SCALARS, &r->rdata));


The first line is trying to determine whether this is really a WACK packet (it has other bugs we'll ignore here) by peeking into r->rdata.data.length.

The trouble is we don't set r->rdata until the next line.

We don't notice it in fuzzing because the push is overwriting the same memory that we pulled from, so 


It was briefly an IDL macro, then moved here with dce310ef4ec2eedb496e814cf341ad7caab821af.

Comment 1 Douglas Bagnall 2022-03-16 21:25:12 UTC

What we really need is to look at the opcode to see if it's WACK, but by the time we get here we've forgotten that. 

It seems PIDL isn't really up to the task here, and we need to turn a whole lot more of NBT stack into manually maintained code.

Comment 4 Samba QA Contact 2023-07-07 01:15:12 UTC

This bug was referenced in samba master:

edad945339f6401b2566efddd33f47195e2637c3