From: Jeremy Allison <jra@samba.org>
Date: Fri, 11 Aug 2023 17:42:41 +0000 (-0700)
Subject: s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest.
X-Git-Tag: tevent-0.16.0~966
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9220c45cc191b34e293190f6a923ba463edd5db9;p=thirdparty%2Fsamba.git

s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest.

Robert Morris <rtm@lcs.mit.edu> noticed that in the case
where srvstr_pull_req_talloc() is being called with
buffer remaining == 0, we don't NULL out the destination
pointed which is *always* done in the codepaths inside
pull_string_talloc(). This prevents a crash in the caller.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---

diff --git a/selftest/knownfail.d/smb1_truncated_sessetup b/selftest/knownfail.d/smb1_truncated_sessetup
deleted file mode 100644
index 2ecdbd867a9..00000000000
--- a/selftest/knownfail.d/smb1_truncated_sessetup
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP.smbtorture\(fileserver_smb1\)
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 66b735e0b75..dfcd05d2cae 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -533,6 +533,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
 	ssize_t bufrem = smbreq_bufrem(req, src);
 
 	if (bufrem == 0) {
+		*dest = NULL;
 		return 0;
 	}