From 116c740cb9c30bc2471dcb7ba2a771c86b02061a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Aug 2023 10:42:41 -0700 Subject: [PATCH] s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest. Robert Morris noticed that in the case where srvstr_pull_req_talloc() is being called with buffer remaining == 0, we don't NULL out the destination pointed which is *always* done in the codepaths inside pull_string_talloc(). This prevents a crash in the caller. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 9220c45cc191b34e293190f6a923ba463edd5db9) --- selftest/knownfail.d/smb1_truncated_sessetup | 1 - source3/smbd/smb2_reply.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/smb1_truncated_sessetup diff --git a/selftest/knownfail.d/smb1_truncated_sessetup b/selftest/knownfail.d/smb1_truncated_sessetup deleted file mode 100644 index 2ecdbd867a9..00000000000 --- a/selftest/knownfail.d/smb1_truncated_sessetup +++ /dev/null @@ -1 +0,0 @@ -^samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP.smbtorture\(fileserver_smb1\) diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c index 66b735e0b75..dfcd05d2cae 100644 --- a/source3/smbd/smb2_reply.c +++ b/source3/smbd/smb2_reply.c @@ -533,6 +533,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, ssize_t bufrem = smbreq_bufrem(req, src); if (bufrem == 0) { + *dest = NULL; return 0; } -- 2.11.4.GIT