From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 7 Sep 2018 20:10:36 +0000 (+0100)
Subject: (for 4.9.3) CVE-2018-16452/SMB: prevent stack exhaustion
X-Git-Tag: tcpdump-4.9.3~57
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/24182d959f661327525a20d9a94c98a8ec016778

(for 4.9.3) CVE-2018-16452/SMB: prevent stack exhaustion

Enforce a limit on how many times smb_fdata() can recurse.

This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
---

diff --git a/smbutil.c b/smbutil.c
index fc9b3cc6..7b01f487 100644
--- a/smbutil.c
+++ b/smbutil.c
@@ -807,7 +807,14 @@ smb_fdata(netdissect_options *ndo,
 	    while (buf < maxbuf) {
 		const u_char *buf2;
 		depth++;
-		buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
+		/* Not sure how this relates with the protocol specification,
+		 * but in order to avoid stack exhaustion recurse at most that
+		 * many levels.
+		 */
+		if (depth == 10)
+			ND_PRINT((ndo, "(too many nested levels, not recursing)"));
+		else
+			buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
 		depth--;
 		if (buf2 == NULL)
 		    return(NULL);