[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Mon Mar 18 02:52:01 UTC 2024 

The branch, master has been updated
       via  b815abe7799 libcli/security: check again for NULL values
       via  78f728063a1 libcli/security: claims_conversions: check for NULL in claims array
      from  97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b815abe77991d7929717ea3ed4b9d7bef7179715
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Mar 17 23:08:23 2024 +1300

    libcli/security: check again for NULL values
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224

commit 78f728063a1e510966a45f7f1d9515ea3bd16214
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Mar 17 23:07:17 2024 +1300

    libcli/security: claims_conversions: check for NULL in claims array
    
    If by mistake we end up with a NULL in our array of claims pointers,
    it is better to return an error than crash.
    
    There can be NULLs in the array if a resource attribute ACE has a
    claim that uses 0 as a relative data pointer. Samba assumes this means
    a NULL pointer, rather than a zero offset.
    
    Credit to OSS-Fuzz.
    
    REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/claims-conversions.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)


Changeset truncated at 500 lines:

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index bbba5973852..ccf1375fc8f 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token(
 	uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
 	result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR;
 
+	if (claim->values[offset].int_value == NULL) {
+		return false;
+	}
 	switch (claim->value_type) {
 	case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
 		return claim_v1_int_to_ace_int(claim, offset, result);
@@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
 		.case_sensitive = case_sensitive
 	};
 
+	/*
+	 * It could be that the values array contains a NULL pointer, in which
+	 * case we don't need to worry about what type it is.
+	 */
+	for (i = 0; i < claim->value_count; i++) {
+		if (claim->values[i].int_value == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
 	if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
 		NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
 		if (NT_STATUS_IS_OK(status)) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list