Given a 256kB file, fuzz_ndr_dfsblobs_TYPE_STRUCT can generate (per valgrind) 16,475,520 allocs, 16,475,512 frees, 4,020,344,240 bytes allocated. I currently suspect that convert_string_talloc() is sometimes returning false (indicating an error) while not freeing the bad string, and ndr_pull_string_array() is hammering this. It gets freed eventually. The issue is that malformed data can OOM the server first.
(In reply to Douglas Bagnall from comment #0) > I currently suspect that convert_string_talloc() is sometimes returning false (indicating an error) while not freeing the bad string, OK, not that. It is somewhere further up the stack, in the ndr_pull_string_array() or somewhere. 1572071304 byte(s) (93%) in 8190474 allocation(s) #0 0x55d254c229cd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 #1 0x55d254c69d36 in __talloc_with_prefix samba/lib/talloc/talloc.c:783:9 #2 0x55d254c62575 in __talloc samba/lib/talloc/talloc.c:825:9 #3 0x55d254c62575 in _talloc_named_const samba/lib/talloc/talloc.c:982:8 #4 0x55d254c62575 in _talloc_realloc samba/lib/talloc/talloc.c:1822:10 #5 0x55d254c68641 in _talloc_realloc_array samba/lib/talloc/talloc.c:2785:9 #6 0x55d254ccb566 in convert_string_talloc_handle samba/lib/util/charset/convert_string.c:413:7 #7 0x55d254ccc08b in convert_string_talloc samba/lib/util/charset/convert_string.c:553:9 #8 0x55d254c9bd1c in ndr_pull_string samba/librpc/ndr/ndr_string.c:164:15 #9 0x55d254c9de3d in ndr_pull_string_array samba/librpc/ndr/ndr_string.c:433:4 #10 0x55d254ce5691 in ndr_pull_dfs_domain_referral samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:713:6 #11 0x55d254ce2611 in ndr_pull_dfs_referral samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:836:5 #12 0x55d254ce2611 in ndr_pull_dfs_referral_v3 samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:976:4 #13 0x55d254cdfbcd in ndr_pull_dfs_referral_version samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:1115:5 #14 0x55d254cda542 in ndr_pull_dfs_referral_type samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:1198:4 #15 0x55d254cd9c48 in ndr_pull_dfs_referral_resp samba/bin/default/librpc/gen_ndr/ndr_dfsblobs.c:1270:4 #16 0x55d254c7814e in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_dfsblobs_TYPE_STRUCT.c:276:13
(In reply to Douglas Bagnall from comment #1) more notes to myself. in ndr_pull_dfs_domain_referral, line 660 and 673, { uint32_t _flags_save_string = ndr->flags; ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); NDR_CHECK(ndr_pull_relative_ptr_short(ndr, &_ptr_special_name)); if (_ptr_special_name) { >>> NDR_PULL_ALLOC(ndr, r->special_name); NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->special_name, _ptr_special_name)); } else { r->special_name = NULL; } ndr->flags = _flags_save_string; } ----- { uint32_t _flags_save_string_array = ndr->flags; ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING|LIBNDR_FLAG_STR_NULLTERM); NDR_CHECK(ndr_pull_relative_ptr_short(ndr, &_ptr_expanded_names)); if (_ptr_expanded_names) { >>> NDR_PULL_ALLOC(ndr, r->expanded_names); NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->expanded_names, _ptr_expanded_names)); } else { r->expanded_names = NULL; } ndr->flags = _flags_save_string_array; } These are run 65535 times each time we go through lndr_pull_dfs_referral_resp(), line 1272: for (cntr_referral_entries_0 = 0; cntr_referral_entries_0 < (size_referral_entries_0); cntr_referral_entries_0++) { NDR_CHECK(ndr_pull_dfs_referral_type(ndr, NDR_BUFFERS, &r->referral_entries[cntr_referral_entries_0])); } so its not about things not being freed on error.
In other words, another case of bug #14505.