From 8317145d127f2762c52fe68dedbdda2604f22e9c Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sun, 17 Mar 2024 23:07:17 +1300
Subject: [PATCH 1/2] libcli/security: claims_conversions: check for NULL in
 claims array

If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.

There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214)
---
 libcli/security/claims-conversions.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index bbba5973852..0d3b06de4fe 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -935,6 +935,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
 		.case_sensitive = case_sensitive
 	};
 
+	/*
+	 * It could be that the values array contains a NULL pointer, in which
+	 * case we don't need to worry about what type it is.
+	 */
+	for (i = 0; i < claim->value_count; i++) {
+		if (claim->values[i].int_value == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
 	if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
 		NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
 		if (NT_STATUS_IS_OK(status)) {
-- 
2.25.1


From ac8766c9b2d97c7b43b4b88aa9dc779d370fbdca Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sun, 17 Mar 2024 23:08:23 +1300
Subject: [PATCH 2/2] libcli/security: check again for NULL values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224

(cherry picked from commit b815abe77991d7929717ea3ed4b9d7bef7179715)
---
 libcli/security/claims-conversions.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 0d3b06de4fe..ccf1375fc8f 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token(
 	uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
 	result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR;
 
+	if (claim->values[offset].int_value == NULL) {
+		return false;
+	}
 	switch (claim->value_type) {
 	case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
 		return claim_v1_int_to_ace_int(claim, offset, result);
-- 
2.25.1