smblib: fix buffer over-read

When parsing SMB LanManager packets with invalid protocol ID and the
default set of Squid supported protocols. It may access memory outside
the buffer storing protocol names.

smblib is only used by already deprecated helpers which are deprecated
due to far more significant NTLM protocol issues. It will also only
result in packets being rejected later with invalid protocol names. So
this is a minor bug rather than a vulnerability.

 Detected by Coverity Scan. Issue 1256165

diff --git a/lib/smblib/smblib-util.c b/lib/smblib/smblib-util.c
index 569a16f223b1f25dac0e60ad1192fa97e7aa9af7..65dfb68ebcc95592a9facf8ede823d1f9dea07c1 100644 (file)
--- a/lib/smblib/smblib-util.c
+++ b/lib/smblib/smblib-util.c
@@ -204,7 +204,11 @@ int SMB_Figure_Protocol(const char *dialects[], int prot_index)
 {
     int i;
 
-    if (dialects == SMB_Prots) { /* The jobs is easy, just index into table */
+    // prot_index may be a value outside the table SMB_Types[]
+    // which holds data at offsets 0 to 11
+    int ourType = (prot_index < 0 || prot_index > 11);
+
+    if (ourType && dialects == SMB_Prots) { /* The jobs is easy, just index into table */
 
         return(SMB_Types[prot_index]);
     } else { /* Search through SMB_Prots looking for a match */