smb2: NFS symlink reparse target is not NULL terminated

Change-Id: Ifb34b3959c6a3ea23691d0795227c2a4a98b9290
Reviewed-on: https://code.wireshark.org/review/32599
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>

1 files changed, 11 insertions, 2 deletions

diff --git a/epan/dissectors/packet-smb2.c b/epan/dissectors/packet-smb2.c
index 344c3388b2..c1ecadd2b6 100644
--- a/epan/dissectors/packet-smb2.c
+++ b/epan/dissectors/packet-smb2.c
@@ -20,6 +20,7 @@
 
 
 #include <epan/packet.h>
+#include <epan/exceptions.h>
 #include <epan/prefs.h>
 #include <epan/expert.h>
 #include <epan/tap.h>
@@ -6942,10 +6943,18 @@ dissect_smb2_reparse_nfs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree
 
 	switch (type) {
 	case NFS_SPECFILE_LNK:
-		symlink_length = 0;
+		/*
+		 * According to [MS-FSCC] 2.1.2.6 "length" contains
+		 * the 8-byte type plus the symlink target in Unicode
+		 * non-NULL terminated.
+		 */
+		if (length < 8) {
+			THROW(ReportedBoundsError);
+		}
+		symlink_length = length - 8;
 		symlink_target = get_unicode_or_ascii_string(tvb, &offset, TRUE,
 							     &symlink_length, TRUE,
-							     FALSE, &bytes_left);
+							     TRUE, &bytes_left);
 		proto_tree_add_string(tree, hf_smb2_nfs_symlink_target, tvb, offset,
 				      symlink_length, symlink_target);
 		break;