From: Ralph Boehme Date: Fri, 3 May 2019 20:52:56 +0000 (+0200) Subject: s3:mdssvc: marshalling: fix unpacking empty filemeta structure X-Git-Tag: tdb-1.4.2~217 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d67c98184a176805c0406ea4d6d56bcde78bb26d;p=thirdparty%2Fsamba.git s3:mdssvc: marshalling: fix unpacking empty filemeta structure This is how a correct dump of an empty sl_filemeta_t container should look like: DALLOC_CTX(#1): { sl_array_t(#3): { uint64_t: 0x0023 CNIDs: unkn1: 0x0, unkn2: 0x0 DALLOC_CTX(#0): { } sl_filemeta_t(#0): { } } } This is basically the response from macOS mdssvc for a query that yields no results: sl_filemeta_t is empty, the CNIDs array as well. Looking at the raw packet data, the empty sl_filemeta_t container as a size of 8 bytes which fails the following check in sl_unpack_cpx(): case SQ_CPX_TYPE_FILEMETA: ... if (tag.size < 16) { *boom* } Only tag.size=0 is invalid, tag.size=8 denotes an empty container and tag.size>=16 denotes a sl_filemeta_t container with actual content must be unpacked by calling sl_unpack(). Note that size is always a muliple of 8. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c index 39eeaad0d60..7f5f95e836d 100644 --- a/source3/rpc_server/mdssvc/marshalling.c +++ b/source3/rpc_server/mdssvc/marshalling.c @@ -1005,7 +1005,7 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query, if (offset == -1) { return -1; } - if (tag.size < 16) { + if (tag.size < 8) { DBG_WARNING("size too mall: %zu\n", tag.size); return -1; } @@ -1014,9 +1014,14 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query, if (sl_fm == NULL) { return -1; } - result = sl_unpack(sl_fm, buf + offset, bufsize - offset ); - if (result == -1) { - return -1; + + if (tag.size >= 16) { + result = sl_unpack(sl_fm, + buf + offset, + bufsize - offset ); + if (result == -1) { + return -1; + } } result = dalloc_add(query, sl_fm, sl_filemeta_t); if (result != 0) {