CVE-2026-3238: winsserver4: Validate incoming packets

Avoid NULL pointer dereferences, leading to a crash in the nbt process
serving wins.

Thanks to Arad Inbar, Erez Cohen, Nir Somech and Ben Grinberg from
DREAM Security Research Team for pointing out this crash bug out to
the Samba team.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16012

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/source4/nbt_server/wins/winsserver.c b/source4/nbt_server/wins/winsserver.c
index 1b7fe5641a69884334ae38a6c2031cc1ccf38011..c637657f07ce34cebd2dcaf7a61e28c1de8ac1f5 100644 (file)
--- a/source4/nbt_server/wins/winsserver.c
+++ b/source4/nbt_server/wins/winsserver.c
@@ -472,9 +472,16 @@ static void nbtd_winsserver_register(struct nbt_name_socket *nbtsock,
        struct winsdb_addr *winsdb_addr = NULL;
        bool duplicate_packet;
 
+       NBTD_ASSERT_PACKET(packet, src, packet->qdcount > 0);
+       NBTD_ASSERT_PACKET(packet, src, packet->arcount > 0);
+
        name = &packet->questions[0].name;
        additional = packet->additional;
 
+       NBTD_ASSERT_PACKET(packet,
+                          src,
+                          additional[0].rdata.netbios.length > 0);
+
        addresses = additional[0].rdata.netbios.addresses;
 
        nb_flags = addresses[0].nb_flags;
@@ -747,6 +754,8 @@ static void nbtd_winsserver_query(struct loadparm_context *lp_ctx,
        const char **addresses_1b = NULL;
        uint16_t nb_flags = 0;
 
+       NBTD_ASSERT_PACKET(packet, src, packet->qdcount > 0);
+
        name = &packet->questions[0].name;
 
        if (name->type == NBT_NAME_MASTER) {
@@ -889,6 +898,8 @@ static void nbtd_winsserver_release(struct nbt_name_socket *nbtsock,
        uint32_t modify_flags = 0;
        uint8_t ret;
 
+       NBTD_ASSERT_PACKET(packet, src, packet->qdcount > 0);
+
        name = &packet->questions[0].name;
 
        if (name->type == NBT_NAME_MASTER) {