From: Jeremy Allison <jra@samba.org>
Date: Fri, 17 Jan 2020 21:49:48 +0000 (-0800)
Subject: s3: lib: nmblib. Clean up and harden nmb packet processing.
X-Git-Tag: samba-4.10.14~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55177a44258dceee3aa3ae4966f56f422a9a5aad;p=thirdparty%2Fsamba.git

s3: lib: nmblib. Clean up and harden nmb packet processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14239
OSS-FUZZ: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20156
OSS-FUZZ: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20157

Credit to oss-fuzz.
No security implications.

Signed-off-by: Jeremy Allison <jra@samba.org>
Pair programmed with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 21 23:33:41 UTC 2020 on sn-devel-184

(cherry picked from commit ad236bb7590e423b4c69fe6028f2f3495977f48b)
---

diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 727939575a7..0681450bae2 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -192,10 +192,14 @@ static int parse_nmb_name(char *inbuf,int ofs,int length, struct nmb_name *name)
 
 	m = ubuf[offset];
 
-	if (!m)
-		return(0);
-	if ((m & 0xC0) || offset+m+2 > length)
-		return(0);
+	/* m must be 32 to exactly fill in the 16 bytes of the netbios name */
+	if (m != 32) {
+		return 0;
+	}
+	/* Cannot go past length. */
+	if (offset+m+2 > length) {
+		return 0;
+	}
 
 	memset((char *)name,'\0',sizeof(*name));