The Samba-Bugzilla – Attachment 18267 Details for
Bug 15606
avoid null-dereference with bad claims
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master backported to Samba 4.20 (v1)
bug-15606-4.20.patch (text/plain), 3.01 KB, created by
Andrew Bartlett
on 2024-03-18 05:44:07 UTC
(
hide
)
Description:
Patch for master backported to Samba 4.20 (v1)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2024-03-18 05:44:07 UTC
Size:
3.01 KB
patch
obsolete
>From 8317145d127f2762c52fe68dedbdda2604f22e9c Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Sun, 17 Mar 2024 23:07:17 +1300 >Subject: [PATCH 1/2] libcli/security: claims_conversions: check for NULL in > claims array > >If by mistake we end up with a NULL in our array of claims pointers, >it is better to return an error than crash. > >There can be NULLs in the array if a resource attribute ACE has a >claim that uses 0 as a relative data pointer. Samba assumes this means >a NULL pointer, rather than a zero offset. > >Credit to OSS-Fuzz. > >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214) >--- > libcli/security/claims-conversions.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c >index bbba5973852..0d3b06de4fe 100644 >--- a/libcli/security/claims-conversions.c >+++ b/libcli/security/claims-conversions.c >@@ -935,6 +935,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx, > .case_sensitive = case_sensitive > }; > >+ /* >+ * It could be that the values array contains a NULL pointer, in which >+ * case we don't need to worry about what type it is. >+ */ >+ for (i = 0; i < claim->value_count; i++) { >+ if (claim->values[i].int_value == NULL) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ } >+ > if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) { > NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim); > if (NT_STATUS_IS_OK(status)) { >-- >2.25.1 > > >From ac8766c9b2d97c7b43b4b88aa9dc779d370fbdca Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Sun, 17 Mar 2024 23:08:23 +1300 >Subject: [PATCH 2/2] libcli/security: check again for NULL values > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224 > >(cherry picked from commit b815abe77991d7929717ea3ed4b9d7bef7179715) >--- > libcli/security/claims-conversions.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c >index 0d3b06de4fe..ccf1375fc8f 100644 >--- a/libcli/security/claims-conversions.c >+++ b/libcli/security/claims-conversions.c >@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token( > uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE; > result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR; > >+ if (claim->values[offset].int_value == NULL) { >+ return false; >+ } > switch (claim->value_type) { > case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: > return claim_v1_int_to_ace_int(claim, offset, result); >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18267">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
dbagnall
:
review+
dbagnall
:
ci-passed+
Actions:
View
Attachments on
bug 15606
: 18267