git.ipfire.org Git - thirdparty/samba.git/commit

author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Wed, 30 Jul 2025 09:18:09 +0000 (21:18 +1200)
committer	Douglas Bagnall <dbagnall@samba.org>
	Thu, 31 Jul 2025 05:45:07 +0000 (05:45 +0000)
commit	f1a828016921b4d5852148cdb2b8147ceafd7f69
tree	2f45828f9e365bffa5c7ee5d4fcae6e1a33e8108	tree
parent	c1ee6fe9a489a8923d607e14d26768935a398849	commit \| diff

librpc:bcrypt_rsakey_blob: exponent and modulus lengths can't be zero

Apart from it making no sense, without these ranges we end up
allocating a NULL buffer and aborting.

We also put a maximum size on the RSA key, in case we could get
tricked into a DoS by pulling a large buffer and trying crypto maths
on it.

6 0x572ebce2749a in talloc_abort samba/lib/talloc/talloc.c:506:3
7 0x572ebce271d4 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
8 0x572ebce271d4 in __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
9 0x572ebce235f9 in __talloc samba/lib/talloc/talloc.c:825:9
10 0x572ebce235f9 in _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 0x572ebce235f9 in _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 0x572ebc8f6a4f in data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 0x572ebc7d23bd in pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 0x572ebc7d23bd in ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 0x572ebc788e90 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13

REF: https://issues.oss-fuzz.com/issues/435039896

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 31 05:45:07 UTC 2025 on atb-devel-224

librpc/idl/bcrypt_rsakey_blob.idl		diff \| blob \| blame \| history
python/samba/tests/bcrypt_rsakey_blob.py		diff \| blob \| blame \| history