Fix bug #7698 - Assert causes smbd to panic on invalid NetBIOS session request.

Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.

Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.

Jeremy.

1 files changed, 11 insertions, 4 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index f76f17c1bd..1e11e158f7 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2230,6 +2230,7 @@ bool cli_session_request(struct cli_state *cli,
 {
 	char *p;
 	int len = 4;
+	int namelen = 0;
 	char *tmp;
 
 	/* 445 doesn't have session request */
@@ -2248,8 +2249,11 @@ bool cli_session_request(struct cli_state *cli,
 	}
 
 	p = cli->outbuf+len;
-	memcpy(p, tmp, name_len(tmp));
-	len += name_len(tmp);
+	namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
+	if (namelen > 0) {
+		memcpy(p, tmp, namelen);
+		len += namelen;
+	}
 	TALLOC_FREE(tmp);
 
 	/* and my name */
@@ -2261,8 +2265,11 @@ bool cli_session_request(struct cli_state *cli,
 	}
 
 	p = cli->outbuf+len;
-	memcpy(p, tmp, name_len(tmp));
-	len += name_len(tmp);
+	namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
+	if (namelen > 0) {
+		memcpy(p, tmp, namelen);
+		len += namelen;
+	}
 	TALLOC_FREE(tmp);
 
 	/* send a session request (RFC 1002) */