From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 22 Sep 2023 03:19:32 +0000 (+1200)
Subject: fuzzing: fuzz_sddl_parse forgives bad utf-8
X-Git-Tag: tevent-0.16.0~401
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3be69fc3dcedee77d8eacf7cf82d0f33df2d42fe;p=thirdparty%2Fsamba.git

fuzzing: fuzz_sddl_parse forgives bad utf-8

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c
index be85ce4f7ee..05900b02e2f 100644
--- a/lib/fuzzing/fuzz_sddl_parse.c
+++ b/lib/fuzzing/fuzz_sddl_parse.c
@@ -20,6 +20,7 @@
 #include "libcli/security/security.h"
 #include "librpc/gen_ndr/conditional_ace.h"
 #include "fuzzing/fuzzing.h"
+#include "util/charset/charset.h"
 
 #define MAX_LENGTH (100 * 1024 - 1)
 static char sddl_string[MAX_LENGTH + 1] = {0};
@@ -55,6 +56,28 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
 		goto end;
 	}
 	result = sddl_encode(mem_ctx, sd1, &dom_sid);
+	if (result == NULL) {
+		/*
+		 * Because Samba currently doesn't enforce strict
+		 * utf-8 parsing, illegal utf-8 sequences in
+		 * sddl_string could have ferried bad characters
+		 * through into the security descriptor conditions
+		 * that we then find we can't encode.
+		 *
+		 * The proper solution is strict UTF-8 enforcement in
+		 * sddl_decode, but for now we forgive unencodable
+		 * security descriptors made from bad utf-8.
+		 */
+		size_t byte_len, char_len, utf16_len;
+		ok = utf8_check(sddl_string, len,
+				&byte_len, &char_len, &utf16_len);
+		if (!ok) {
+			goto end;
+		}
+		/* utf-8 was fine, but we couldn't encode! */
+		abort();
+	}
+
 	sd2 = sddl_decode(mem_ctx, result, &dom_sid);
 	if (sd2 == NULL) {
 		if (strlen(result) > CONDITIONAL_ACE_MAX_LENGTH) {