Created attachment 18272 [details] a patch, perhaps in the wrong place, but it works We forget that an ACE with zero coda could be a resource attribute ACE, and initialise only the ignored blob. The correct thing to do would probably be to fail. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577 This arose from the manual parsing that Andrew correctly grumbled about in https://gitlab.com/samba-team/samba/-/merge_requests/3489 but as that MR itself closed a couple of OSS-Fuzz issues, I suspect the underlying bug is in the (manual) ndr_subcontext_size_of_ace_coda() helper function that both versions rely on. #0 0x56335e0cc68d in ndr_push_CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 samba/bin/default/librpc/gen_ndr/ndr_security.c:798:4 #1 0x56335e0dab63 in ndr_push_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1083:5 #2 0x56335e143090 in ndr_size_union samba/librpc/ndr/ndr.c:1584:11 #3 0x56335e0dde9e in ndr_size_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1325:9 #4 0x56335e0f6dc4 in ndr_size_security_ace samba/librpc/ndr/ndr_sec_helper.c:65:10 #5 0x56335e0f9cb0 in ndr_size_security_acl samba/librpc/ndr/ndr_sec_helper.c:218:10 #6 0x56335e0f9f9c in ndr_size_security_descriptor samba/librpc/ndr/ndr_sec_helper.c:234:9 #7 0x56335e0e7906 in ndr_push_sec_desc_buf samba/bin/default/librpc/gen_ndr/ndr_security.c:1718:3 #8 0x56335df865a8 in ndr_push_samr_QuerySecurity samba/bin/default/librpc/gen_ndr/ndr_samr.c:6366:4 #9 0x56335dcb3d08 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_samr_TYPE_OUT.c:305:13
There are many related oss-fuzz issues that manifest as print timeouts: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67619 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67603 etc
This bug was referenced in samba master: 6fb98f70c6274e172787c8d5f73aa93920171e7c
Created attachment 18275 [details] Patch for master backported to Samba 4.20 (v1)
Comment on attachment 18275 [details] Patch for master backported to Samba 4.20 (v1) https://gitlab.com/samba-team/devel/samba/-/pipelines/1225949080
Comment on attachment 18275 [details] Patch for master backported to Samba 4.20 (v1) Marking as CI passed. Only failure is a deadtime test in the nt4-dc env, which isn't running this code (so any tests missed also won't be touching this code).
For 4.20.
Pushed to autobuild-v4-20-test.
This bug was referenced in samba v4-20-test: 3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8
Closing out bug report. Thanks!
This bug was referenced in samba v4-20-stable (Release samba-4.20.0): 3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8