Bug 15348 - Null-dereference READ in ndr_push_CLAIMS_SET_NDR
Summary: Null-dereference READ in ndr_push_CLAIMS_SET_NDR
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-31 21:13 UTC by Douglas Bagnall
Modified: 2023-04-05 02:03 UTC (History)
2 users (show)

See Also:

Attachments
the relevant fuzz test case (32 bytes, application/octet-stream)
2023-03-31 21:13 UTC, Douglas Bagnall 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-03-31 21:13:53 UTC 
Created attachment 17852 [details]
the relevant fuzz test case

From OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57591
Detailed Report: https://oss-fuzz.com/testcase?key=6174047888343040


 	==7133==The signal is caused by a READ memory access.
	==7133==Hint: address points to the zero page.
	SCARINESS: 10 (null-deref)
	    #0 0x559d03a753c2 in ndr_push_CLAIMS_SET_CTR samba/bin/default/librpc/gen_ndr/ndr_claims.c:783:3
	    #1 0x559d03a753c2 in ndr_push_CLAIMS_SET_NDR samba/bin/default/librpc/gen_ndr/ndr_claims.c:976:4
	    #2 0x559d03acea20 in ndr_push_struct_blob samba/librpc/ndr/ndr.c:1435:2
	    #3 0x559d03a7ea68 in ndr_claims_compressed_size samba/librpc/ndr/ndr_claims.c:47:12
	    #4 0x559d03a76fad in ndr_push_CLAIMS_SET_METADATA samba/bin/default/librpc/gen_ndr/ndr_claims.c:1078:3
	    #5 0x559d03a15c51 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_claims_TYPE_STRUCT.c:305:13
	    #6 0x559d03afd3cb in main
	    #7 0x7fbb0c7f2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #8 0x559d03940afd in _start
Comment 1 Douglas Bagnall 2023-03-31 21:16:46 UTC 
This is not a security issue because this code is not yet used outside of tests, besides being only in master and no release branches.
Comment 2 Samba QA Contact 2023-04-05 02:03:04 UTC 
This bug was referenced in samba master:

f1174c6e0c4c033b3eae0b9ab94d76ac1382f74b