s3: smbd: Codenomicon crash in do_smb_load_module().

Inside api_pipe_bind_req() we look for a pipe module name using

dcerpc_default_transport_endpoint(pkt,
                                NCACN_NP, table)

which returns NULL when given invalid pkt data from the Codenomicon fuzzer.

This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.

https://bugzilla.samba.org/show_bug.cgi?id=11342

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104

diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a0e1639095a255833b4e83da035d7f0003..1f00dd810ae33422498ce36ce524c5c8597762db 100644 (file)
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
        char *full_path = NULL;
        TALLOC_CTX *ctx = talloc_stackframe();
 
+       if (module_name == NULL) {
+               TALLOC_FREE(ctx);
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        /* Check for absolute path */
 
        DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));