librpc:ndr:keycredlink don't require that kmi be a talloc_context

This prevents fuzzing of ndr_pull_KeyMaterialInternal which we want. So instead
allocate against the ndr talloc context, then the callers can talloc_steal,
memcpy the data as appropriate.

 5 abort
 6 talloc_abort samba/lib/talloc/talloc.c:506:3
 7 talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
 8 __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
 9 __talloc samba/lib/talloc/talloc.c:825:9
10 _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/
		               fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13

REF: https://issues.oss-fuzz.com/issues/435760432

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug  6 05:10:43 UTC 2025 on atb-devel-224

diff --git a/librpc/ndr/ndr_keycredlink.c b/librpc/ndr/ndr_keycredlink.c
index 7ce35be733e940f507f3289b0723c026af93ef09..0b9e327ed4585b0dfacdaeb5144e6c6e109d9139 100644 (file)
--- a/librpc/ndr/ndr_keycredlink.c
+++ b/librpc/ndr/ndr_keycredlink.c
@@ -635,7 +635,6 @@ static enum ndr_err_code read_integer(TALLOC_CTX *mem_ctx,
  * @param[in,out] ndr       ndr pull context
  * @param[in]     ndr_flags
  * @param[out]    kmi       the KeyMaterialInternal structure to populate
- *                         kmi needs to be a talloc context.
  *
  * @return NDR_ERR_SUCCESS if successful
  *         The contents of kmi are undefined on an error
@@ -664,11 +663,13 @@ static enum ndr_err_code read_public_key(struct ndr_pull *ndr,
        }
 
        /* modulus INTEGER  */
-       NDR_CHECK(read_integer(kmi, ndr, asn, "MODULUS", &kmi->modulus));
+       NDR_CHECK(read_integer(
+               ndr->current_mem_ctx, ndr, asn, "MODULUS", &kmi->modulus));
        kmi->bit_size = (kmi->modulus.length * 8) - unused_bits;
 
        /* public exponent INTEGER */
-       NDR_CHECK(read_integer(kmi, ndr, asn, "EXPONENT", &kmi->exponent));
+       NDR_CHECK(read_integer(
+               ndr->current_mem_ctx, ndr, asn, "EXPONENT", &kmi->exponent));
 
        if (!asn1_end_tag(asn)) { /* RSAPublicKey */
                return ndr_pull_error(ndr,
@@ -690,7 +691,6 @@ static enum ndr_err_code read_public_key(struct ndr_pull *ndr,
  * @param[in,out] ndr ndr pull context
  * @param[in]     ndr_flags
  * @param[out]    kmi the KeyMaterialInternal structure to populate
- *                    kmi needs to be a talloc context.
  * @param[in]     size number of bytes to process from the ndr context
  *
  * @return NDR_ERR_SUCCESS if successful
@@ -766,7 +766,6 @@ out:
  * @param[in,out] ndr       ndr pull context
  * @param[in]     ndr_flags
  * @param[out]    kmi       the KeyMaterialInternal structure to populate
- *                              kmi needs to be a talloc context.
  *
  * @return NDR_ERR_SUCCESS if successful
  *         The contents of kmi are undefined on an error
@@ -799,7 +798,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct ndr_pull *ndr,
                goto out_km;
        }
        kmi->bit_size = km->public_key.rsa_detail.keyBits;
-       kmi->modulus = data_blob_talloc(kmi,
+       kmi->modulus = data_blob_talloc(ndr->current_mem_ctx,
                                        km->public_key.rsa.buffer,
                                        km->public_key.rsa.size);
        if (kmi->modulus.data == NULL) {
@@ -810,7 +809,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct ndr_pull *ndr,
                goto out_km;
        }
 
-       kmi->exponent = data_blob_talloc(kmi,
+       kmi->exponent = data_blob_talloc(ndr->current_mem_ctx,
                                         km->public_key.rsa_detail.exponent,
                                         TPM_RSA_EXPONENT_SIZE);
        if (kmi->exponent.data == NULL) {
@@ -837,7 +836,6 @@ out:
  * @param[in,out] ndr       ndr pull context
  * @param[in]     ndr_flags
  * @param[out]    kmi       the KeyMaterialInternal structure to populate
- *                              kmi needs to be a talloc context.
  *
  * @return NDR_ERR_SUCCESS if successful
  *         The contents of kmi are undefined on an error
@@ -873,7 +871,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB(
 
        kmi->bit_size = km->bit_length;
 
-       kmi->modulus = data_blob_talloc(kmi,
+       kmi->modulus = data_blob_talloc(ndr->current_mem_ctx,
                                        km->modulus,
                                        km->modulus_len);
        if (kmi->modulus.data == NULL) {
@@ -884,7 +882,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB(
                goto out_km;
        }
 
-       kmi->exponent = data_blob_talloc(kmi,
+       kmi->exponent = data_blob_talloc(ndr->current_mem_ctx,
                                         km->public_exponent,
                                         km->public_exponent_len);
        if (kmi->exponent.data == NULL) {
@@ -912,7 +910,6 @@ out:
  * @param[in,out] ndr       ndr pull context
  * @param[in]     ndr_flags
  * @param[out]    kmi       the KeyMaterialInternal structure to populate
- *                              kmi needs to be a talloc context.
  *
  * @return NDR_ERR_SUCCESS if successful
  *         The contents of kmi are undefined on an error
@@ -978,7 +975,6 @@ enum ndr_err_code ndr_pull_KeyMaterialInternal(struct ndr_pull *ndr,
  * @param[in,out] ndr       ndr push context
  * @param[in]     ndr_flags
  * @param[out]    kmi       the KeyMaterialInternal structure to populate
- *                              kmi needs to be a talloc context.
  *
  * @note This is not currently implemented and will always return
  *       NDR_ERR_VALIDATE