Bug 15617 - Null deference in ndr_push_spoolss_PrinterEnumValues
Summary: Null deference in ndr_push_spoolss_PrinterEnumValues
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: printing-maintainers
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-28 01:41 UTC by Douglas Bagnall
Modified: 2024-06-26 03:08 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2024-03-28 01:41:02 UTC
From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60906

$ valgrind bin/fuzz_ndr_spoolss_TYPE_OUT ~/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_spoolss_TYPE_OUT-5223912281079808.fuzz
==2100925== Memcheck, a memory error detector
==2100925== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2100925== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==2100925== Command: bin/fuzz_ndr_spoolss_TYPE_OUT /home/douglasb/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_spoolss_TYPE_OUT-5223912281079808.fuzz
==2100925== 
==2100925== Invalid read of size 8
==2100925==    at 0x1FCA3C: ndr_push_spoolss_PrinterEnumValues (ndr_spoolss.c:22939)
==2100925==    by 0x25CE41: ndr_push___spoolss_EnumPrinterDataEx (ndr_spoolss.c:35251)
==2100925==    by 0x15F1C3: ndr_push_spoolss_EnumPrinterDataEx (ndr_spoolss_buf.c:628)
==2100925==    by 0x165EF7: LLVMFuzzerTestOneInput (fuzz_ndr_spoolss_TYPE_OUT.c:311)
==2100925==    by 0x166098: main (afl-fuzz-main.c:46)
==2100925==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2100925== 
==2100925== 
==2100925== Process terminating with default action of signal 11 (SIGSEGV)
==2100925==  Access not within mapped region at address 0x0
==2100925==    at 0x1FCA3C: ndr_push_spoolss_PrinterEnumValues (ndr_spoolss.c:22939)
==2100925==    by 0x25CE41: ndr_push___spoolss_EnumPrinterDataEx (ndr_spoolss.c:35251)
==2100925==    by 0x15F1C3: ndr_push_spoolss_EnumPrinterDataEx (ndr_spoolss_buf.c:628)
==2100925==    by 0x165EF7: LLVMFuzzerTestOneInput (fuzz_ndr_spoolss_TYPE_OUT.c:311)
==2100925==    by 0x166098: main (afl-fuzz-main.c:46)
==2100925==  If you believe this happened as a result of a stack
==2100925==  overflow in your program's main thread (unlikely but
==2100925==  possible), you can try to increase the size of the
==2100925==  main thread stack using the --main-stacksize= flag.
==2100925==  The main thread stack size used in this run was 8388608.
==2100925== 
==2100925== HEAP SUMMARY:
==2100925==     in use at exit: 173,221 bytes in 717 blocks
==2100925==   total heap usage: 1,321 allocs, 604 frees, 187,421 bytes allocated
==2100925== 
==2100925== LEAK SUMMARY:
==2100925==    definitely lost: 0 bytes in 0 blocks
==2100925==    indirectly lost: 0 bytes in 0 blocks
==2100925==      possibly lost: 6,397 bytes in 15 blocks
==2100925==    still reachable: 166,824 bytes in 702 blocks
==2100925==         suppressed: 0 bytes in 0 blocks
==2100925== Rerun with --leak-check=full to see details of leaked memory
==2100925== 
==2100925== For lists of detected and suppressed errors, rerun with: -s
==2100925== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

This one does not cause problems when converted to ndrdump:

bin/ndrdump spoolss 79 out --base64-input --input AAAAAAAAAAAgICAgIP///w==

I'm not sure why.