The branch, master has been updated via b815abe7799 libcli/security: check again for NULL values via 78f728063a1 libcli/security: claims_conversions: check for NULL in claims array from 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b815abe77991d7929717ea3ed4b9d7bef7179715 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sun Mar 17 23:08:23 2024 +1300 libcli/security: check again for NULL values Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224 commit 78f728063a1e510966a45f7f1d9515ea3bd16214 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sun Mar 17 23:07:17 2024 +1300 libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/security/claims-conversions.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Changeset truncated at 500 lines: diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index bbba5973852..ccf1375fc8f 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token( uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE; result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR; + if (claim->values[offset].int_value == NULL) { + return false; + } switch (claim->value_type) { case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: return claim_v1_int_to_ace_int(claim, offset, result); @@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx, .case_sensitive = case_sensitive }; + /* + * It could be that the values array contains a NULL pointer, in which + * case we don't need to worry about what type it is. + */ + for (i = 0; i < claim->value_count; i++) { + if (claim->values[i].int_value == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + } + if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) { NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim); if (NT_STATUS_IS_OK(status)) { -- Samba Shared Repository