librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0

convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.

But for NDR we need to be correct on the wire...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index b5421e99ff555d082d79feb3cc36ed655a94c042..95b0366b7918e7e58375e043c9369f4d6d164bbf 100644 (file)
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -236,7 +236,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_string(struct ndr_push *ndr, int ndr_flags,
                s_len++;
        }
 
-       if (!do_convert) {
+       if (s_len == 0) {
+               d_len = 0;
+               dest = (uint8_t *)talloc_strdup(ndr, "");
+       } else if (!do_convert) {
                d_len = s_len;
                dest = (uint8_t *)talloc_strndup(ndr, s, s_len);
        } else if (!convert_string_talloc(ndr, CH_UNIX, chset, s, s_len,

diff --git a/selftest/knownfail.d/blackbox.ndrdump b/selftest/knownfail.d/blackbox.ndrdump
new file mode 100644 (file)
index 0000000..8131b07
--- /dev/null
+++ b/selftest/knownfail.d/blackbox.ndrdump
@@ -0,0 +1 @@
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE

diff --git a/selftest/knownfail.d/ndr_string b/selftest/knownfail.d/ndr_string
deleted file mode 100644 (file)
index f4c864e..0000000
--- a/selftest/knownfail.d/ndr_string
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.local.ndr.ndr_string.ndr_string
-^samba4.local.ndr.system.iconv.ndr_string.ndr_string