From: Gary Lockyer <gary@catalyst.net.nz>
Date: Tue, 3 Dec 2019 19:46:57 +0000 (+1300)
Subject: librpc ndr: Infinite loop parsing Suplemental creds
X-Git-Tag: ldb-2.1.0~475
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7127a615cbd742695cea5865533c1ee7098ecc10;p=thirdparty%2Fsamba.git

librpc ndr: Infinite loop parsing Suplemental creds

Fuzzing by Michael Hanselmann found an infinite loop parsing a malformed
supplemental credentials structure.  There are no server-side
network-accessible calls using this code.

This patch adds an ndrdump blackbox test to replicate the issue.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py
index 92a6c090c48..c92ff837e9b 100644
--- a/python/samba/tests/blackbox/ndrdump.py
+++ b/python/samba/tests/blackbox/ndrdump.py
@@ -261,3 +261,16 @@ dump OK
         # check_output will return bytes
         # convert expected to bytes for python 3
         self.assertEqual(actual, expected.encode('utf-8'))
+
+    def test_ndrdump_fuzzed_PackagesBlob(self):
+        expected = 'ndr_pull_string: ndr_pull_error\\(Buffer Size Error\\):'
+        command = (
+            "ndrdump drsblobs package_PackagesBlob struct --input='aw=='"
+            " --base64-input")
+        try:
+            actual = self.check_exit_code(command, 2)
+        except BlackboxProcessError as e:
+            self.fail(e)
+        # check_output will return bytes
+        # convert expected to bytes for python 3
+        self.assertRegex(actual.decode('utf8'), expected)
diff --git a/selftest/knownfail.d/bug-13874 b/selftest/knownfail.d/bug-13874
new file mode 100644
index 00000000000..9603bac8ca2
--- /dev/null
+++ b/selftest/knownfail.d/bug-13874
@@ -0,0 +1 @@
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\)