From: Gary Lockyer Date: Wed, 6 Aug 2025 01:03:30 +0000 (+1200) Subject: librpc:ndr:keycredlink don't require that kmi be a talloc_context X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e2901e0619a8eae7c5211a76a39fd06ad21473b;p=thirdparty%2Fsamba.git librpc:ndr:keycredlink don't require that kmi be a talloc_context This prevents fuzzing of ndr_pull_KeyMaterialInternal which we want. So instead allocate against the ndr talloc context, then the callers can talloc_steal, memcpy the data as appropriate. 5 abort 6 talloc_abort samba/lib/talloc/talloc.c:506:3 7 talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0 8 __talloc_with_prefix samba/lib/talloc/talloc.c:762:12 9 __talloc samba/lib/talloc/talloc.c:825:9 10 _talloc_named_const samba/lib/talloc/talloc.c:982:8 11 _talloc_memdup samba/lib/talloc/talloc.c:2441:9 12 data_blob_talloc_named samba/lib/util/data_blob.c:56:25 13 pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17 14 ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10 15 LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/ fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13 REF: https://issues.oss-fuzz.com/issues/435760432 Signed-off-by: Gary Lockyer Reviewed-by: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Aug 6 05:10:43 UTC 2025 on atb-devel-224 --- diff --git a/librpc/ndr/ndr_keycredlink.c b/librpc/ndr/ndr_keycredlink.c index 7ce35be733e..0b9e327ed45 100644 --- a/librpc/ndr/ndr_keycredlink.c +++ b/librpc/ndr/ndr_keycredlink.c @@ -635,7 +635,6 @@ static enum ndr_err_code read_integer(TALLOC_CTX *mem_ctx, * @param[in,out] ndr ndr pull context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * * @return NDR_ERR_SUCCESS if successful * The contents of kmi are undefined on an error @@ -664,11 +663,13 @@ static enum ndr_err_code read_public_key(struct ndr_pull *ndr, } /* modulus INTEGER */ - NDR_CHECK(read_integer(kmi, ndr, asn, "MODULUS", &kmi->modulus)); + NDR_CHECK(read_integer( + ndr->current_mem_ctx, ndr, asn, "MODULUS", &kmi->modulus)); kmi->bit_size = (kmi->modulus.length * 8) - unused_bits; /* public exponent INTEGER */ - NDR_CHECK(read_integer(kmi, ndr, asn, "EXPONENT", &kmi->exponent)); + NDR_CHECK(read_integer( + ndr->current_mem_ctx, ndr, asn, "EXPONENT", &kmi->exponent)); if (!asn1_end_tag(asn)) { /* RSAPublicKey */ return ndr_pull_error(ndr, @@ -690,7 +691,6 @@ static enum ndr_err_code read_public_key(struct ndr_pull *ndr, * @param[in,out] ndr ndr pull context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * @param[in] size number of bytes to process from the ndr context * * @return NDR_ERR_SUCCESS if successful @@ -766,7 +766,6 @@ out: * @param[in,out] ndr ndr pull context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * * @return NDR_ERR_SUCCESS if successful * The contents of kmi are undefined on an error @@ -799,7 +798,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct ndr_pull *ndr, goto out_km; } kmi->bit_size = km->public_key.rsa_detail.keyBits; - kmi->modulus = data_blob_talloc(kmi, + kmi->modulus = data_blob_talloc(ndr->current_mem_ctx, km->public_key.rsa.buffer, km->public_key.rsa.size); if (kmi->modulus.data == NULL) { @@ -810,7 +809,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct ndr_pull *ndr, goto out_km; } - kmi->exponent = data_blob_talloc(kmi, + kmi->exponent = data_blob_talloc(ndr->current_mem_ctx, km->public_key.rsa_detail.exponent, TPM_RSA_EXPONENT_SIZE); if (kmi->exponent.data == NULL) { @@ -837,7 +836,6 @@ out: * @param[in,out] ndr ndr pull context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * * @return NDR_ERR_SUCCESS if successful * The contents of kmi are undefined on an error @@ -873,7 +871,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB( kmi->bit_size = km->bit_length; - kmi->modulus = data_blob_talloc(kmi, + kmi->modulus = data_blob_talloc(ndr->current_mem_ctx, km->modulus, km->modulus_len); if (kmi->modulus.data == NULL) { @@ -884,7 +882,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB( goto out_km; } - kmi->exponent = data_blob_talloc(kmi, + kmi->exponent = data_blob_talloc(ndr->current_mem_ctx, km->public_exponent, km->public_exponent_len); if (kmi->exponent.data == NULL) { @@ -912,7 +910,6 @@ out: * @param[in,out] ndr ndr pull context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * * @return NDR_ERR_SUCCESS if successful * The contents of kmi are undefined on an error @@ -978,7 +975,6 @@ enum ndr_err_code ndr_pull_KeyMaterialInternal(struct ndr_pull *ndr, * @param[in,out] ndr ndr push context * @param[in] ndr_flags * @param[out] kmi the KeyMaterialInternal structure to populate - * kmi needs to be a talloc context. * * @note This is not currently implemented and will always return * NDR_ERR_VALIDATE