Skip to content
Permalink
Browse files

librpc: Check for NULL pointer in value() in ntlmssp_AUTHENTICATE

This allows ndrdump --validate to avoid following a NULL pointer when re-pushing
a valid but unusual input.

It also avoids an issue if the Samba server code were to provide a response
without an EncryptedRandomSessionKey.

At this stage ntlmssp.idl is not used for this, instead the packets are
generated with msrpc_gen().

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 20 06:06:29 UTC 2019 on sn-devel-184
  • Loading branch information
abartlet committed Nov 19, 2019
1 parent 33e9021 commit f7f92803f600f8d302cdbb668c42ca8b186a797f
Showing with 1 addition and 2 deletions.
  1. +1 −1 librpc/idl/ntlmssp.idl
  2. +0 −1 selftest/knownfail.d/ndrdump-NTLMSSP
@@ -271,7 +271,7 @@ interface ntlmssp
[value(ndr_ntlmssp_string_length(NegotiateFlags, Workstation))] uint16 WorkstationLen;
[value(WorkstationLen)] uint16 WorkstationMaxLen;
[relative] [subcontext(0),subcontext_size(WorkstationLen)] [flag(ndr_ntlmssp_negotiated_string_flags(r->NegotiateFlags))] string *Workstation;
[value(EncryptedRandomSessionKey->length)] uint16 EncryptedRandomSessionKeyLen;
[value(EncryptedRandomSessionKey == NULL ? 0 : EncryptedRandomSessionKey->length)] uint16 EncryptedRandomSessionKeyLen;
[value(EncryptedRandomSessionKeyLen)] uint16 EncryptedRandomSessionKeyMaxLen;
[relative] [subcontext(0),subcontext_size(EncryptedRandomSessionKeyLen)] DATA_BLOB *EncryptedRandomSessionKey;
NEGOTIATE NegotiateFlags;

This file was deleted.

0 comments on commit f7f9280

Please sign in to comment.
You can’t perform that action at this time.