From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 13 Dec 2023 02:39:33 +0000 (+1300)
Subject: libcli/security: don't allow conditional ACE SIDs to have trailing bytes
X-Git-Tag: talloc-2.4.2~337
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a016ce70684e5237764b2432fa182ba8b0af6b0b;p=thirdparty%2Fsamba.git

libcli/security: don't allow conditional ACE SIDs to have trailing bytes

They should be tightly packed, allowing conditional ACEs to
round-trip.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64197

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 1876b52c141..158c8ecf82e 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -254,6 +254,8 @@ static ssize_t pull_sid(TALLOC_CTX *mem_ctx,
 	if (ndr == NULL) {
 		return -1;
 	}
+	ndr->flags |= LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES;
+
 	ndr_err = ndr_pull_ace_condition_sid(ndr, NDR_SCALARS|NDR_BUFFERS, tok);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		TALLOC_FREE(ndr);