Bug 16041 - 2-byte buffer overflow when zip-compressing CAB files in NDR
Summary: 2-byte buffer overflow when zip-compressing CAB files in NDR
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-03-26 16:15 UTC by Volker Lendecke
Modified: 2026-05-18 22:50 UTC (History)
3 users (show)

See Also:

Attachments
Findings as reported (35.58 KB, application/zip)
2026-03-26 16:17 UTC, Volker Lendecke 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Volker Lendecke 2026-03-26 16:15:50 UTC 

    


    


      



        
          Comment 1
        

        
          Volker Lendecke

        

        
        

        
          2026-03-26 16:17:07 UTC
        

      






Created attachment 18926 [details]
Findings as reported

    


    


      



        
          Comment 2
        

        
          Volker Lendecke

        

        
        

        
          2026-03-26 16:19:00 UTC
        

      






Mail by Kevin Valerio <kevin.valerio@trailofbits.com>:

Hi,

We're writing from Trail of Bits, a security research firm. We found
a security issue in Samba and have prepared a patch for it. The
finding is rated Medium. Details are below.


FINDINGS
--------

In ndr_push_compression_mszip_cab_chunk() at ndr_compression.c:230,
the zlib deflate output buffer size is set to comp_chunk.length
instead of comp_chunk.length - 2, failing to account for the 2-byte
"CK" header already written at the start of the buffer. This allows
deflate() to write up to 2 bytes past the end of the allocated heap
buffer when compressing CAB data for NDR serialization.

An attacker who can cause a Samba server to re-serialize attacker-
influenced CAB data (e.g., via printer driver uploads) can trigger
the overflow. The resulting 2-byte heap overflow can corrupt adjacent
heap objects or talloc metadata.


REPRODUCTION
------------

Build fuzzers:
  git clone https://github.com/google/oss-fuzz
  cd oss-fuzz
  python3 infra/helper.py build_fuzzers --sanitizer address samba

Run the PoC:
  python3 infra/helper.py reproduce samba fuzz_ndr_cab_TYPE_STRUCT poc.bin

Expected output: ASAN reports heap-buffer-overflow WRITE in
ndr_push_compression_mszip_cab_chunk at ndr_compression.c:255, with
the overflow occurring immediately past a ~32K heap region.


ATTACHMENTS
-----------

We have attached a zip containing:

- Full technical details of each finding
- Reproduction steps and proof-of-concept where applicable
- Candidate patch(es) with regression tests


BACKGROUND
----------

Anthropic is conducting research into the use of large language models
for automated vulnerability discovery in open source software. As part
of that work, Anthropic used Claude to scan a set of widely used open
source projects for security issues. Anthropic then engaged Trail of
Bits to independently triage, manually validate, and develop patches
for the findings. Each issue in this report has been reviewed and
confirmed by human security researchers at Trail of Bits.


NEXT STEPS
----------

We are disclosing under Anthropic's coordinated vulnerability
disclosure policy:
https://www.anthropic.com/coordinated-vulnerability-disclosure

Our disclosure timeline is 90 days from the date of
this email, with a 14-day extension available if needed.

We'd like to work with your maintainers to get these issues fixed. We
are happy to submit PRs or coordinate with your preferred process. Let
us know if there's a specific security contact you'd like us to work
with.

Thanks for your work on Samba.

— Trail of Bits, in collaboration with Anthropic

    


    


      



        
          Comment 3
        

        
          Douglas Bagnall

        

        
        

        
          2026-05-14 04:49:45 UTC
        

      






(In reply to Volker Lendecke from comment #2)

> Our disclosure timeline is 90 days from the date of this email, with a 14-day extension available if needed.

That date was:

> Date: Fri, 20 Mar 2026 12:40:46 +0100

So the deadline is about June 18.

    


    


      



        
          Comment 4
        

        
          Andrew Bartlett

        

        
        

        
          2026-05-15 05:45:14 UTC
        

      






I'm not aware of a call path to this code, outside smbtorture, so unless someone can find one I think we should open this up and just fix it.

    


    


      



        
          Comment 5
        

        
          Stefan Metzmacher

        

        
        

        
          2026-05-15 09:08:55 UTC
        

      






(In reply to Andrew Bartlett from comment #4)

Yes, it seems to be smbtorture only.

    


    


      



        
          Comment 6
        

        
          Andreas Schneider

        

        
        

        
          2026-05-18 11:09:46 UTC
        

      






That's needed for supporting v4 printer drivers but we never finished that work. That is all unwired code.

    


    


      



        
          Comment 7
        

        
          Douglas Bagnall

        

        
        

        
          2026-05-18 22:50:31 UTC
        

      






Removing embargo.