fuzz: allow max size conditional ACE round-trip failure

The encoder, being cautious not to overstep the arbitrary 10000 byte
boundary, might not encode an exactly 10000 byte condition. This
is an off-by-one, but in the safe direction.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224

diff --git a/lib/fuzzing/fuzz_conditional_ace_blob.c b/lib/fuzzing/fuzz_conditional_ace_blob.c
index ed0bbd536bc1140864af0176c6d8a869bc3021cd..ebbd90883aa8e8bec56f1831cb4dab5dabfabbe7 100644 (file)
--- a/lib/fuzzing/fuzz_conditional_ace_blob.c
+++ b/lib/fuzzing/fuzz_conditional_ace_blob.c
@@ -73,6 +73,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
        /* back to blob form */
        ok = conditional_ace_encode_binary(mem_ctx, s1, &e2);
        if (! ok) {
+               if (e1.length == CONDITIONAL_ACE_MAX_LENGTH) {
+                       /*
+                        * This is an edge case where the encoder and
+                        * decoder treat the boundary slightly
+                        * differently, and the encoder refuses to
+                        * encode to the maximum length. This is not
+                        * an issue in the real world.
+                        */
+                       TALLOC_FREE(mem_ctx);
+                       return 0;
+               }
                abort();
        }