Inside api_pipe_bind_req() we look for a pipe module name using
dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table)
which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.
https://bugzilla.samba.org/show_bug.cgi?id=11342
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
char *full_path = NULL;
TALLOC_CTX *ctx = talloc_stackframe();
+ if (module_name == NULL) {
+ TALLOC_FREE(ctx);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* Check for absolute path */
DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));