| commit | 290c1ae0ff8dc75fa06e5463d55987918ee3c999 | |
| author | Jeremy Allison <jra@samba.org> | |
| Thu, 18 Jun 2015 17:21:07 +0000 (18 10:21 -0700) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Tue, 30 Jun 2015 00:06:28 +0000 (30 02:06 +0200) | ||
| tree | 71a12a0ff78a6489e8f6b05140688c3e67eb3028 | treesnapshot (tar.gz zip) |
| parent | 81dde5e1e3692b86d04084f1a5ca9c842172f7d3 | commitdiff |
s3: smbd: Codenomicon crash in do_smb_load_module().
Inside api_pipe_bind_req() we look for a pipe module name using
dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table)
which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.
https://bugzilla.samba.org/show_bug.cgi?id=11342
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
(cherry picked from commit 5a82cc21379e3fe28441cd82647313c9390b41e7)
Inside api_pipe_bind_req() we look for a pipe module name using
dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table)
which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.
https://bugzilla.samba.org/show_bug.cgi?id=11342
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
(cherry picked from commit 5a82cc21379e3fe28441cd82647313c9390b41e7)
| lib/util/modules.c | diffblobblamehistory |