From b7cff10398fe3a7c41033f0d872046cc442e0e66 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sun, 20 Dec 2020 12:17:56 +1300
Subject: [PATCH 1/2] tldap: avoid infinite loop when filter contains "\)"

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 source3/lib/tldap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index e008b04e5e6..082a3e0b481 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1238,6 +1238,7 @@ static char *tldap_get_val(TALLOC_CTX *memctx,
 	while (*s) {
 		s = strchr(s, ')');
 		if (s && (*(s - 1) == '\\')) {
+			s++;
 			continue;
 		}
 		break;
-- 
2.25.1


From df80961306d44f0330a950a253567c46dbcfc916 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 26 Nov 2020 16:04:15 +1300
Subject: [PATCH 2/2] fuzz: fuzz tldap_push_filter()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/fuzzing/fuzz_tldap_push_filter.c | 79 ++++++++++++++++++++++++++++
 lib/fuzzing/wscript_build            |  9 ++++
 source3/lib/tldap.c                  | 10 ++++
 3 files changed, 98 insertions(+)
 create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c

diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c
new file mode 100644
index 00000000000..e6cba3f8755
--- /dev/null
+++ b/lib/fuzzing/fuzz_tldap_push_filter.c
@@ -0,0 +1,79 @@
+/*
+  Fuzz NMB parse_packet
+  Copyright (C) Catalyst IT 2020
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "includes.h"
+#include "fuzzing/fuzzing.h"
+#include "libcli/security/security.h"
+#include "lib/util/asn1.h"
+#include "tldap.h"
+#include "tldap_gensec_bind.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+/*
+ * This function is defined in source3/lib/tldap.c, guarded by
+ *
+ * #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ *
+ * It wraps the static tldap_push_filter().
+ */
+
+extern bool tldap_push_filter_fuzz(struct tldap_context *ld,
+				   struct asn1_data *data,
+				   const char *filter);
+
+
+
+#define MAX_LENGTH (1024 * 100)
+char buf[MAX_LENGTH + 1];
+
+
+int dummy_fd;
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+	dummy_fd = open("/dev/null", O_RDWR);
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+	TALLOC_CTX *mem_ctx = NULL;
+	struct asn1_data *asn1 = NULL;
+	struct tldap_context *ld;
+
+	if (len > MAX_LENGTH) {
+		return 0;
+	}
+
+	mem_ctx = talloc_stackframe();
+	asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
+	ld = tldap_context_create(mem_ctx, dummy_fd);
+	if (ld == NULL) {
+		abort();
+	}
+	memcpy(buf, input, len);
+	buf[len]  = '\0';
+
+	tldap_push_filter_fuzz(ld, asn1, buf);
+	talloc_free(mem_ctx);
+	return 0;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 9bfb049e5c0..440fb14009b 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -87,6 +87,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string',
                  deps='fuzzing samba-credentials afl-fuzz-main',
                  fuzzer=True)
 
+bld.SAMBA_BINARY('fuzz_tldap_push_filter',
+                 source='fuzz_tldap_push_filter.c',
+                 deps='''fuzzing TLDAP afl-fuzz-main
+                      talloc
+                      smbconf
+                      libsmb
+                      LOCKING
+                         ''',
+                 fuzzer=True)
 # The fuzz_type and fuzz_function parameters make the built
 # fuzzer take the same input as ndrdump and so the same that
 # could be sent to the client or server as the stub data.
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index 082a3e0b481..8dbea0eaf53 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld,
 	return ret;
 }
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
+bool tldap_push_filter_fuzz(struct tldap_context *ld,
+			    struct asn1_data *data,
+			    const char *filter)
+{
+	return tldap_push_filter(ld, data, filter);
+}
+#endif
+
 /*****************************************************************************/
 
 static void tldap_search_done(struct tevent_req *subreq);
-- 
2.25.1