[SCM] Samba Shared Repository - branch v4-20-test updated
Jule Anger
janger at samba.org
Wed Mar 20 12:04:02 UTC 2024
The branch, v4-20-test has been updated
via 28fc1850e5c libcli/security: check again for NULL values
via ce78896e262 libcli/security: claims_conversions: check for NULL in claims array
from 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 28fc1850e5c0b02f2ca0e0a8516457d56dc17cbd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Mar 17 23:08:23 2024 +1300
libcli/security: check again for NULL values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
(cherry picked from commit b815abe77991d7929717ea3ed4b9d7bef7179715)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Wed Mar 20 12:03:45 UTC 2024 on atb-devel-224
commit ce78896e262b3133141f53aa27158a6eee4d53ff
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Mar 17 23:07:17 2024 +1300
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214)
-----------------------------------------------------------------------
Summary of changes:
libcli/security/claims-conversions.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Changeset truncated at 500 lines:
diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index bbba5973852..ccf1375fc8f 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token(
uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR;
+ if (claim->values[offset].int_value == NULL) {
+ return false;
+ }
switch (claim->value_type) {
case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
return claim_v1_int_to_ace_int(claim, offset, result);
@@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
.case_sensitive = case_sensitive
};
+ /*
+ * It could be that the values array contains a NULL pointer, in which
+ * case we don't need to worry about what type it is.
+ */
+ for (i = 0; i < claim->value_count; i++) {
+ if (claim->values[i].int_value == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
if (NT_STATUS_IS_OK(status)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list