Bug 15011 - Excessive trust of claimed array sizes in regfio
Summary: Excessive trust of claimed array sizes in regfio
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Reported: 2022-03-11 03:31 UTC by Douglas Bagnall
Modified: 2022-03-13 00:40 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2022-03-11 03:31:57 UTC
regfio.c will (at least for a while) believe extravagant record_size claims, meaning a very small file can cause a huge amount of work.
Comment 1 Douglas Bagnall 2022-03-13 00:40:55 UTC
This was originally opened for https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38575, but this one might be more useful:


Adding a talloc report shows some lines like

        parse_prs                      contains 84215045 bytes in   1 blocks (ref 0) 0x7fe55b7da070

84215045 is 0x05050505; hexdump of the fuzz file ends with

00002a60  05 05 05 05 05 05 05 05  05 05 05 05 05 05 05 05  |................|

so I'm suspecting some connection there.

valgrind says 

==1773460==   total heap usage: 11,833 allocs, 11,791 frees, 2,697,638,702 bytes allocated

this is freed or mostly freed at the end, but that's no consolation if a malformed file OOMs you first.