(for 4.9.3) CVE-2018-16452/SMB: prevent stack exhaustion

Enforce a limit on how many times smb_fdata() can recurse.

This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

diff --git a/smbutil.c b/smbutil.c
index fc9b3cc6f227a659fd71f3c5e4c1c766a132e9a3..7b01f487dbc2de43cb1cdb19c5a017866d27d80d 100644 (file)
--- a/smbutil.c
+++ b/smbutil.c
@@ -807,7 +807,14 @@ smb_fdata(netdissect_options *ndo,
            while (buf < maxbuf) {
                const u_char *buf2;
                depth++;
-               buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
+               /* Not sure how this relates with the protocol specification,
+                * but in order to avoid stack exhaustion recurse at most that
+                * many levels.
+                */
+               if (depth == 10)
+                       ND_PRINT((ndo, "(too many nested levels, not recursing)"));
+               else
+                       buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
                depth--;
                if (buf2 == NULL)
                    return(NULL);