s3/libsmb: Avoid potential smbpanic calling parse_user_quota_list.

Calling parse_user_quota_list with a NULL buffer can cause a panic, while
this shouldn't happen, I managed to trigger this with an early implementation
of SMB2 quota support in smbd which didn't pass back NT_STATUS_NO_MORE_ENTRIES
when handling a SMB2_0_INFO_QUOTA GETINFO message.
OTHOH the Windows client handled the same situation gracefully.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 4b9871c54df4bcf09417849ea765f7a7b3929ed5..3546ae422ecc31e7a59eb3b708b091cabc1506b2 100644 (file)
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -3047,6 +3047,14 @@ NTSTATUS cli_smb2_list_user_quota_step(struct cli_state *cli,
                                    ph->fid_persistent, ph->fid_volatile, frame,
                                    &outbuf);
 
+       /*
+        * safeguard against panic from calling parse_user_quota_list with
+        * NULL buffer
+        */
+       if (NT_STATUS_IS_OK(status) && outbuf.length == 0) {
+               status = NT_STATUS_NO_MORE_ENTRIES;
+       }
+
        if (!NT_STATUS_IS_OK(status)) {
                goto cleanup;
        }