From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sun, 19 Jan 2020 02:08:58 +0000 (+1300)
Subject: nmblib: avoid undefined behaviour in handle_name_ptrs()
X-Git-Tag: ldb-2.1.1~146
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3bc7acc62646b105b03fd3c65e9170a373f95392;p=thirdparty%2Fsamba.git

nmblib: avoid undefined behaviour in handle_name_ptrs()

If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower
bits of the new *offset. This value is undefined, but because it is
checked against the valid range, there is no way to read further
beyond that one byte.

Credit to oss-fuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14242
OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20193

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb  7 10:19:39 UTC 2020 on sn-devel-184
---

diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 84cbb054b8e..c05fac2bba9 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -160,6 +160,9 @@ static bool handle_name_ptrs(unsigned char *ubuf,int *offset,int length,
 		if (!*got_pointer)
 			(*ret) += 2;
 		(*got_pointer)=True;
+		if (*offset > length - 2) {
+			return False;
+		}
 		(*offset) = ((ubuf[*offset] & ~0xC0)<<8) | ubuf[(*offset)+1];
 		if (loop_count++ == 10 ||
 				(*offset) < 0 || (*offset)>(length-2)) {