From d15a3797c7949140c872e82cc42d4f7301a9bf82 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 7 Nov 2019 14:19:24 +1300 Subject: [PATCH] librpc: Avoid spinning on string_array elements with a short input Without this protection we will spin during decode of a string_array or nstring_array that is terminated by only a single NUL byte, not two as required by UTF-16. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- librpc/ndr/ndr_string.c | 7 +++++++ selftest/knownfail.d/bug-13874 | 3 --- 2 files changed, 7 insertions(+), 3 deletions(-) delete mode 100644 selftest/knownfail.d/bug-13874 diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c index 0fefc887c30..eb0af57a6ab 100644 --- a/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c @@ -118,9 +118,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_string(struct ndr_pull *ndr, int ndr_flags, break; case LIBNDR_FLAG_STR_NULLTERM: + /* + * We ensure that conv_str_len cannot return 0 by + * requring that there be enough bytes for at least + * the NULL terminator + */ if (byte_mul == 1) { + NDR_PULL_NEED_BYTES(ndr, 1); conv_src_len = ascii_len_n((const char *)(ndr->data+ndr->offset), ndr->data_size - ndr->offset); } else { + NDR_PULL_NEED_BYTES(ndr, 2); conv_src_len = utf16_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset); } byte_mul = 1; /* the length is now absolute */ diff --git a/selftest/knownfail.d/bug-13874 b/selftest/knownfail.d/bug-13874 deleted file mode 100644 index 0dccf1aea28..00000000000 --- a/selftest/knownfail.d/bug-13874 +++ /dev/null @@ -1,3 +0,0 @@ -^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\) -^librpc.ndr.ndr_string.test_pull_string_zero_len_nul_term\(none\) -^librpc.ndr.ndr_string.test_pull_string_len_1_nul_term\(none\) -- 2.47.3