libcli/security: allow round-trip for conditional ACE octal integers

The string "00" will decode into an integer tagged as octal, but
`snprintf("%#oll")` will write the string "0", which would decode as
decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would
not be the same as SD2.

The effect is really only relevant to SDDL, which wants to remember
what base the numbers were presented in, though the fuzzers and tests
don't directly compare SDDL, which can have extra spaces and so forth.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index d281e186a6c496798a8bf9f3a9b9efc6e29600c9..46dd1714ba5a1a91e71954d9eefa376ef9ee4906 100644 (file)
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -635,7 +635,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx,
        if (sign == CONDITIONAL_ACE_INT_SIGN_NONE) {
                /* octal and hex will end up unsigned! */
                if (base == CONDITIONAL_ACE_INT_BASE_8) {
-                       snprintf(buf, sizeof(buf), "%#"PRIo64, v);
+                       snprintf(buf, sizeof(buf), "0%"PRIo64, v);
                } else if (base == CONDITIONAL_ACE_INT_BASE_10) {
                        snprintf(buf, sizeof(buf), "%"PRId64, v);
                } else {
@@ -673,7 +673,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx,
        buf[0] = (v < 0) ? '-' : '+';
 
        if (base == CONDITIONAL_ACE_INT_BASE_8) {
-               snprintf(buf + 1, sizeof(buf) - 1, "%#llo", llabs(v));
+               snprintf(buf + 1, sizeof(buf) - 1, "0%llo", llabs(v));
        } else {
                snprintf(buf + 1, sizeof(buf) - 1, "%#llx", llabs(v));
        }