Bug 15011 - Excessive trust of claimed array sizes in regfio
Summary: Excessive trust of claimed array sizes in regfio
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-11 03:31 UTC by Douglas Bagnall
Modified: 2022-03-13 00:40 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2022-03-11 03:31:57 UTC 
regfio.c will (at least for a while) believe extravagant record_size claims, meaning a very small file can cause a huge amount of work.
Comment 1 Douglas Bagnall 2022-03-13 00:40:55 UTC 
This was originally opened for https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38575, but this one might be more useful:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40891

Adding a talloc report shows some lines like

        parse_prs                      contains 84215045 bytes in   1 blocks (ref 0) 0x7fe55b7da070

84215045 is 0x05050505; hexdump of the fuzz file ends with

00002a60  05 05 05 05 05 05 05 05  05 05 05 05 05 05 05 05  |................|
*
00002ad9

so I'm suspecting some connection there.


valgrind says 

==1773460==   total heap usage: 11,833 allocs, 11,791 frees, 2,697,638,702 bytes allocated

this is freed or mostly freed at the end, but that's no consolation if a malformed file OOMs you first.