From: Douglas Bagnall Date: Thu, 21 Sep 2023 03:03:23 +0000 (+1200) Subject: lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings X-Git-Tag: tevent-0.16.0~406 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3f92b475c31bd2a4423c7531c62cc621bb102e6;p=thirdparty%2Fsamba.git lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings There is a borderline case where a conditional ACE unicode string becomes longer than the SDDL parser wants to handle when control characters are given canonical escaping. This can make the round trip fail, but it isn't really a problem. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c index 1f8c32c595b..be85ce4f7ee 100644 --- a/lib/fuzzing/fuzz_sddl_parse.c +++ b/lib/fuzzing/fuzz_sddl_parse.c @@ -18,6 +18,7 @@ #include "includes.h" #include "libcli/security/security.h" +#include "librpc/gen_ndr/conditional_ace.h" #include "fuzzing/fuzzing.h" #define MAX_LENGTH (100 * 1024 - 1) @@ -55,6 +56,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) } result = sddl_encode(mem_ctx, sd1, &dom_sid); sd2 = sddl_decode(mem_ctx, result, &dom_sid); + if (sd2 == NULL) { + if (strlen(result) > CONDITIONAL_ACE_MAX_LENGTH) { + /* + * This could fail if a unicode string or + * attribute name that contains escapable + * bytes (e.g '\x0b') in an unescaped form in + * the original string ends up with them in + * the escaped form ("%000b") in the result + * string, making the entire attribute name + * too long for the arbitrary limit we set for + * SDDL attribute names. + * + * We could increase that arbitrary limit (to, + * say, CONDITIONAL_ACE_MAX_LENGTH * 5), but + * that is getting very far from real world + * needs. + */ + goto end; + } + abort(); + } ok = security_descriptor_equal(sd1, sd2); if (!ok) { abort();