Created attachment 17853 [details] the fuzz case https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608 Detailed Report: https://oss-fuzz.com/testcase?key=5298901585625088 Related to the NDR compression changes, this is not a problem in any releases, but I have restricted it to Samba devs for now in case we muck around for ages. READ of size 4 at 0x611000000680 thread T0 SCARINESS: 45 (4-byte-read-heap-use-after-free) #0 0x5641459b4cf3 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:527:6 #1 0x5641459b4cf3 in _talloc_free samba/lib/talloc/talloc.c:1770:7 #2 0x564145a1eb69 in generic_mszip_free samba/librpc/ndr/ndr_compression.c:1005:2 #3 0x564145a1eb69 in ndr_push_compression_state_free samba/librpc/ndr/ndr_compression.c:1078:3 #4 0x5641459bdb8f in _tc_free_internal samba/lib/talloc/talloc.c:1158:7 #5 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7 #6 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2 #7 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7 #8 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2 #9 0x5641459b4a26 in _talloc_free_internal samba/lib/talloc/talloc.c:1248:9 #10 0x5641459b4a26 in _talloc_free samba/lib/talloc/talloc.c:1792:9 #11 0x564145a3cef4 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_cab_TYPE_STRUCT.c:0 #12 0x5641458812c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #13 0x56414586ca22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #14 0x5641458722cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 #15 0x56414589b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #16 0x7fb917251082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16 #17 0x564145862bed in _start
This bug was referenced in samba master: ff2de50aa4bf086880ab8cd1c2aee7e998c2c22a
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608#c4 confirms this is fixed. Closing.