Bug 15348 - Null-dereference READ in ndr_push_CLAIMS_SET_NDR
Summary: Null-dereference READ in ndr_push_CLAIMS_SET_NDR
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-03-31 21:13 UTC by Douglas Bagnall
Modified: 2023-04-05 02:03 UTC (History)
2 users (show)

See Also:

the relevant fuzz test case (32 bytes, application/octet-stream)
2023-03-31 21:13 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-03-31 21:13:53 UTC
Created attachment 17852 [details]
the relevant fuzz test case

From OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57591
Detailed Report: https://oss-fuzz.com/testcase?key=6174047888343040

 	==7133==The signal is caused by a READ memory access.
	==7133==Hint: address points to the zero page.
	SCARINESS: 10 (null-deref)
	    #0 0x559d03a753c2 in ndr_push_CLAIMS_SET_CTR samba/bin/default/librpc/gen_ndr/ndr_claims.c:783:3
	    #1 0x559d03a753c2 in ndr_push_CLAIMS_SET_NDR samba/bin/default/librpc/gen_ndr/ndr_claims.c:976:4
	    #2 0x559d03acea20 in ndr_push_struct_blob samba/librpc/ndr/ndr.c:1435:2
	    #3 0x559d03a7ea68 in ndr_claims_compressed_size samba/librpc/ndr/ndr_claims.c:47:12
	    #4 0x559d03a76fad in ndr_push_CLAIMS_SET_METADATA samba/bin/default/librpc/gen_ndr/ndr_claims.c:1078:3
	    #5 0x559d03a15c51 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_claims_TYPE_STRUCT.c:305:13
	    #6 0x559d03afd3cb in main
	    #7 0x7fbb0c7f2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #8 0x559d03940afd in _start
Comment 1 Douglas Bagnall 2023-03-31 21:16:46 UTC
This is not a security issue because this code is not yet used outside of tests, besides being only in master and no release branches.
Comment 2 Samba QA Contact 2023-04-05 02:03:04 UTC
This bug was referenced in samba master: