From d67c98184a176805c0406ea4d6d56bcde78bb26d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 3 May 2019 22:52:56 +0200 Subject: [PATCH] s3:mdssvc: marshalling: fix unpacking empty filemeta structure This is how a correct dump of an empty sl_filemeta_t container should look like: DALLOC_CTX(#1): { sl_array_t(#3): { uint64_t: 0x0023 CNIDs: unkn1: 0x0, unkn2: 0x0 DALLOC_CTX(#0): { } sl_filemeta_t(#0): { } } } This is basically the response from macOS mdssvc for a query that yields no results: sl_filemeta_t is empty, the CNIDs array as well. Looking at the raw packet data, the empty sl_filemeta_t container as a size of 8 bytes which fails the following check in sl_unpack_cpx(): case SQ_CPX_TYPE_FILEMETA: ... if (tag.size < 16) { *boom* } Only tag.size=0 is invalid, tag.size=8 denotes an empty container and tag.size>=16 denotes a sl_filemeta_t container with actual content must be unpacked by calling sl_unpack(). Note that size is always a muliple of 8. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- source3/rpc_server/mdssvc/marshalling.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c index 39eeaad0d60..7f5f95e836d 100644 --- a/source3/rpc_server/mdssvc/marshalling.c +++ b/source3/rpc_server/mdssvc/marshalling.c @@ -1005,7 +1005,7 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query, if (offset == -1) { return -1; } - if (tag.size < 16) { + if (tag.size < 8) { DBG_WARNING("size too mall: %zu\n", tag.size); return -1; } @@ -1014,9 +1014,14 @@ static ssize_t sl_unpack_cpx(DALLOC_CTX *query, if (sl_fm == NULL) { return -1; } - result = sl_unpack(sl_fm, buf + offset, bufsize - offset ); - if (result == -1) { - return -1; + + if (tag.size >= 16) { + result = sl_unpack(sl_fm, + buf + offset, + bufsize - offset ); + if (result == -1) { + return -1; + } } result = dalloc_add(query, sl_fm, sl_filemeta_t); if (result != 0) { -- 2.47.3