librpc: Avoid spinning on string_array elements with a short input

Without this protection we will spin during decode of a string_array or nstring_array
that is terminated by only a single NUL byte, not two as required by UTF-16.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 0fefc887c3016d39ea09c1e2f2a7c77ffd322bc8..eb0af57a6ab22b68d82abd6641dbe98439f51b8a 100644 (file)
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -118,9 +118,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_string(struct ndr_pull *ndr, int ndr_flags,
                break;
 
        case LIBNDR_FLAG_STR_NULLTERM:
+               /*
+                * We ensure that conv_str_len cannot return 0 by
+                * requring that there be enough bytes for at least
+                * the NULL terminator
+                */
                if (byte_mul == 1) {
+                       NDR_PULL_NEED_BYTES(ndr, 1);
                        conv_src_len = ascii_len_n((const char *)(ndr->data+ndr->offset), ndr->data_size - ndr->offset);
                } else {
+                       NDR_PULL_NEED_BYTES(ndr, 2);
                        conv_src_len = utf16_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
                }
                byte_mul = 1; /* the length is now absolute */

diff --git a/selftest/knownfail.d/bug-13874 b/selftest/knownfail.d/bug-13874
deleted file mode 100644 (file)
index 0dccf1a..0000000
--- a/selftest/knownfail.d/bug-13874
+++ /dev/null
@@ -1,3 +0,0 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\)
-^librpc.ndr.ndr_string.test_pull_string_zero_len_nul_term\(none\)
-^librpc.ndr.ndr_string.test_pull_string_len_1_nul_term\(none\)