From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 7 Nov 2019 01:19:24 +0000 (+1300)
Subject: librpc: Avoid spinning on string_array elements with a short input
X-Git-Tag: ldb-2.1.0~473
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d15a3797c7949140c872e82cc42d4f7301a9bf82;p=thirdparty%2Fsamba.git

librpc: Avoid spinning on string_array elements with a short input

Without this protection we will spin during decode of a string_array or nstring_array
that is terminated by only a single NUL byte, not two as required by UTF-16.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 0fefc887c30..eb0af57a6ab 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -118,9 +118,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_string(struct ndr_pull *ndr, int ndr_flags,
 		break;
 
 	case LIBNDR_FLAG_STR_NULLTERM:
+		/*
+		 * We ensure that conv_str_len cannot return 0 by
+		 * requring that there be enough bytes for at least
+		 * the NULL terminator
+		 */
 		if (byte_mul == 1) {
+			NDR_PULL_NEED_BYTES(ndr, 1);
 			conv_src_len = ascii_len_n((const char *)(ndr->data+ndr->offset), ndr->data_size - ndr->offset);
 		} else {
+			NDR_PULL_NEED_BYTES(ndr, 2);
 			conv_src_len = utf16_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
 		}
 		byte_mul = 1; /* the length is now absolute */
diff --git a/selftest/knownfail.d/bug-13874 b/selftest/knownfail.d/bug-13874
deleted file mode 100644
index 0dccf1aea28..00000000000
--- a/selftest/knownfail.d/bug-13874
+++ /dev/null
@@ -1,3 +0,0 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\)
-^librpc.ndr.ndr_string.test_pull_string_zero_len_nul_term\(none\)
-^librpc.ndr.ndr_string.test_pull_string_len_1_nul_term\(none\)