From d33ed63147930377697535066fa96b9b4965ea41 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Wed, 13 Dec 2023 17:20:38 +1300 Subject: [PATCH] libcli/security: allow round-trip for conditional ACE octal integers The string "00" will decode into an integer tagged as octal, but `snprintf("%#oll")` will write the string "0", which would decode as decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would not be the same as SD2. The effect is really only relevant to SDDL, which wants to remember what base the numbers were presented in, though the fuzzers and tests don't directly compare SDDL, which can have extra spaces and so forth. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- libcli/security/sddl_conditional_ace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c index d281e186a6c..46dd1714ba5 100644 --- a/libcli/security/sddl_conditional_ace.c +++ b/libcli/security/sddl_conditional_ace.c @@ -635,7 +635,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx, if (sign == CONDITIONAL_ACE_INT_SIGN_NONE) { /* octal and hex will end up unsigned! */ if (base == CONDITIONAL_ACE_INT_BASE_8) { - snprintf(buf, sizeof(buf), "%#"PRIo64, v); + snprintf(buf, sizeof(buf), "0%"PRIo64, v); } else if (base == CONDITIONAL_ACE_INT_BASE_10) { snprintf(buf, sizeof(buf), "%"PRId64, v); } else { @@ -673,7 +673,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx, buf[0] = (v < 0) ? '-' : '+'; if (base == CONDITIONAL_ACE_INT_BASE_8) { - snprintf(buf + 1, sizeof(buf) - 1, "%#llo", llabs(v)); + snprintf(buf + 1, sizeof(buf) - 1, "0%llo", llabs(v)); } else { snprintf(buf + 1, sizeof(buf) - 1, "%#llx", llabs(v)); } -- 2.47.2