[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett Sun, 17 Mar 2024 19:52:24 -0700

The branch, master has been updated
       via  b815abe7799 libcli/security: check again for NULL values
       via  78f728063a1 libcli/security: claims_conversions: check for NULL in 
claims array
      from  97a23e57dc8 s4-auth/kerberos: Report errors observed during 
smb_krb5_remove_obsolete_keytab_entries()


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b815abe77991d7929717ea3ed4b9d7bef7179715
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date:   Sun Mar 17 23:08:23 2024 +1300

    libcli/security: check again for NULL values
    
    Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224

commit 78f728063a1e510966a45f7f1d9515ea3bd16214
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date:   Sun Mar 17 23:07:17 2024 +1300

    libcli/security: claims_conversions: check for NULL in claims array
    
    If by mistake we end up with a NULL in our array of claims pointers,
    it is better to return an error than crash.
    
    There can be NULLs in the array if a resource attribute ACE has a
    claim that uses 0 as a relative data pointer. Samba assumes this means
    a NULL pointer, rather than a zero offset.
    
    Credit to OSS-Fuzz.
    
    REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
    
    Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/claims-conversions.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)


Changeset truncated at 500 lines:

diff --git a/libcli/security/claims-conversions.c 
b/libcli/security/claims-conversions.c
index bbba5973852..ccf1375fc8f 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token(
        uint8_t f = claim->flags & 
CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
        result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR;
 
+       if (claim->values[offset].int_value == NULL) {
+               return false;
+       }
        switch (claim->value_type) {
        case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
                return claim_v1_int_to_ace_int(claim, offset, result);
@@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
                .case_sensitive = case_sensitive
        };
 
+       /*
+        * It could be that the values array contains a NULL pointer, in which
+        * case we don't need to worry about what type it is.
+        */
+       for (i = 0; i < claim->value_count; i++) {
+               if (claim->values[i].int_value == NULL) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+       }
+
        if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
                NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, 
claim);
                if (NT_STATUS_IS_OK(status)) {


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to