Skip to content

Commit f7f9280

Browse files
abartletabartlet
committed
librpc: Check for NULL pointer in value() in ntlmssp_AUTHENTICATE
This allows ndrdump --validate to avoid following a NULL pointer when re-pushing a valid but unusual input. It also avoids an issue if the Samba server code were to provide a response without an EncryptedRandomSessionKey. At this stage ntlmssp.idl is not used for this, instead the packets are generated with msrpc_gen(). Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer. Signed-off-by: Andrew Bartlett <[email protected]> Reviewed-by: Douglas Bagnall <[email protected]> Autobuild-User(master): Andrew Bartlett <[email protected]> Autobuild-Date(master): Wed Nov 20 06:06:29 UTC 2019 on sn-devel-184
1 parent 33e9021 commit f7f9280

File tree

2 files changed

+1
-2
lines changed

2 files changed

+1
-2
lines changed

librpc/idl/ntlmssp.idl

+1-1
Original file line numberDiff line numberDiff line change
@@ -271,7 +271,7 @@ interface ntlmssp
271271
[value(ndr_ntlmssp_string_length(NegotiateFlags, Workstation))] uint16 WorkstationLen;
272272
[value(WorkstationLen)] uint16 WorkstationMaxLen;
273273
[relative] [subcontext(0),subcontext_size(WorkstationLen)] [flag(ndr_ntlmssp_negotiated_string_flags(r->NegotiateFlags))] string *Workstation;
274-
[value(EncryptedRandomSessionKey->length)] uint16 EncryptedRandomSessionKeyLen;
274+
[value(EncryptedRandomSessionKey == NULL ? 0 : EncryptedRandomSessionKey->length)] uint16 EncryptedRandomSessionKeyLen;
275275
[value(EncryptedRandomSessionKeyLen)] uint16 EncryptedRandomSessionKeyMaxLen;
276276
[relative] [subcontext(0),subcontext_size(EncryptedRandomSessionKeyLen)] DATA_BLOB *EncryptedRandomSessionKey;
277277
NEGOTIATE NegotiateFlags;

selftest/knownfail.d/ndrdump-NTLMSSP

-1
This file was deleted.

0 commit comments

Comments
 (0)