CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet

An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 33d53fba9939c88eb6c3327793ea47acad4ab822..8aecaf73247835f5c87f40a743e1c61d3f126a33 100644 (file)
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
                return;
        }
 
+       /*
+        * Given a zero length, data_blob_talloc() returns the
+        * NULL blob {NULL, 0}.
+        *
+        * We only want to error return here on a real out of memory condition
+        * (i.e. dsize != 0, so the UDP packet has data, but the return of the
+        * allocation failed, so blob.data==NULL).
+        *
+        * Given an actual zero length UDP packet having blob.data == NULL
+        * isn't an out of memory error condition, that's the defined semantics
+        * of data_blob_talloc() when asked for zero bytes.
+        *
+        * We still need to continue to do the zero-length socket_recvfrom()
+        * read in order to clear the "read pending" condition on the socket.
+        */
        blob = data_blob_talloc(tmp_ctx, NULL, dsize);
-       if (blob.data == NULL) {
+       if (blob.data == NULL && dsize != 0) {
                talloc_free(tmp_ctx);
                return;
        }

diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt
deleted file mode 100644 (file)
index e4bccca..0000000
--- a/selftest/knownfail.d/empty-nbt
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet
\ No newline at end of file