The Samba-Bugzilla – Attachment 17283 Details for
Bug 14600
infinite loop in tldap filter parsing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
tldap push fuzzer with a parsing fix
fuzz_tldap_push_filter.patch (text/plain), 4.88 KB, created by
Douglas Bagnall
on 2022-05-12 03:48:27 UTC
(
hide
)
Description:
tldap push fuzzer with a parsing fix
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2022-05-12 03:48:27 UTC
Size:
4.88 KB
patch
obsolete
>From b7cff10398fe3a7c41033f0d872046cc442e0e66 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Sun, 20 Dec 2020 12:17:56 +1300 >Subject: [PATCH 1/2] tldap: avoid infinite loop when filter contains "\)" > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source3/lib/tldap.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index e008b04e5e6..082a3e0b481 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -1238,6 +1238,7 @@ static char *tldap_get_val(TALLOC_CTX *memctx, > while (*s) { > s = strchr(s, ')'); > if (s && (*(s - 1) == '\\')) { >+ s++; > continue; > } > break; >-- >2.25.1 > > >From df80961306d44f0330a950a253567c46dbcfc916 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 26 Nov 2020 16:04:15 +1300 >Subject: [PATCH 2/2] fuzz: fuzz tldap_push_filter() > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/fuzzing/fuzz_tldap_push_filter.c | 79 ++++++++++++++++++++++++++++ > lib/fuzzing/wscript_build | 9 ++++ > source3/lib/tldap.c | 10 ++++ > 3 files changed, 98 insertions(+) > create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c > >diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c >new file mode 100644 >index 00000000000..e6cba3f8755 >--- /dev/null >+++ b/lib/fuzzing/fuzz_tldap_push_filter.c >@@ -0,0 +1,79 @@ >+/* >+ Fuzz NMB parse_packet >+ Copyright (C) Catalyst IT 2020 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "replace.h" >+#include "includes.h" >+#include "fuzzing/fuzzing.h" >+#include "libcli/security/security.h" >+#include "lib/util/asn1.h" >+#include "tldap.h" >+#include "tldap_gensec_bind.h" >+#include <sys/types.h> >+#include <sys/stat.h> >+#include <fcntl.h> >+ >+/* >+ * This function is defined in source3/lib/tldap.c, guarded by >+ * >+ * #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION >+ * >+ * It wraps the static tldap_push_filter(). >+ */ >+ >+extern bool tldap_push_filter_fuzz(struct tldap_context *ld, >+ struct asn1_data *data, >+ const char *filter); >+ >+ >+ >+#define MAX_LENGTH (1024 * 100) >+char buf[MAX_LENGTH + 1]; >+ >+ >+int dummy_fd; >+ >+int LLVMFuzzerInitialize(int *argc, char ***argv) >+{ >+ dummy_fd = open("/dev/null", O_RDWR); >+ return 0; >+} >+ >+ >+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) >+{ >+ TALLOC_CTX *mem_ctx = NULL; >+ struct asn1_data *asn1 = NULL; >+ struct tldap_context *ld; >+ >+ if (len > MAX_LENGTH) { >+ return 0; >+ } >+ >+ mem_ctx = talloc_stackframe(); >+ asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); >+ ld = tldap_context_create(mem_ctx, dummy_fd); >+ if (ld == NULL) { >+ abort(); >+ } >+ memcpy(buf, input, len); >+ buf[len] = '\0'; >+ >+ tldap_push_filter_fuzz(ld, asn1, buf); >+ talloc_free(mem_ctx); >+ return 0; >+} >diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build >index 9bfb049e5c0..440fb14009b 100644 >--- a/lib/fuzzing/wscript_build >+++ b/lib/fuzzing/wscript_build >@@ -87,6 +87,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string', > deps='fuzzing samba-credentials afl-fuzz-main', > fuzzer=True) > >+bld.SAMBA_BINARY('fuzz_tldap_push_filter', >+ source='fuzz_tldap_push_filter.c', >+ deps='''fuzzing TLDAP afl-fuzz-main >+ talloc >+ smbconf >+ libsmb >+ LOCKING >+ ''', >+ fuzzer=True) > # The fuzz_type and fuzz_function parameters make the built > # fuzzer take the same input as ndrdump and so the same that > # could be sent to the client or server as the stub data. >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 082a3e0b481..8dbea0eaf53 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld, > return ret; > } > >+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION >+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */ >+bool tldap_push_filter_fuzz(struct tldap_context *ld, >+ struct asn1_data *data, >+ const char *filter) >+{ >+ return tldap_push_filter(ld, data, filter); >+} >+#endif >+ > /*****************************************************************************/ > > static void tldap_search_done(struct tevent_req *subreq); >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14600
:
16370
|
16371
| 17283