From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 20 Dec 2023 01:26:00 +0000 (+1300)
Subject: fuzz: allow max size conditional ACE round-trip failure
X-Git-Tag: talloc-2.4.2~192
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4563a24904e823497552f6e4ef77e8041f2cc5d;p=thirdparty%2Fsamba.git

fuzz: allow max size conditional ACE round-trip failure

The encoder, being cautious not to overstep the arbitrary 10000 byte
boundary, might not encode an exactly 10000 byte condition. This
is an off-by-one, but in the safe direction.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224
---

diff --git a/lib/fuzzing/fuzz_conditional_ace_blob.c b/lib/fuzzing/fuzz_conditional_ace_blob.c
index ed0bbd536bc..ebbd90883aa 100644
--- a/lib/fuzzing/fuzz_conditional_ace_blob.c
+++ b/lib/fuzzing/fuzz_conditional_ace_blob.c
@@ -73,6 +73,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
 	/* back to blob form */
 	ok = conditional_ace_encode_binary(mem_ctx, s1, &e2);
 	if (! ok) {
+		if (e1.length == CONDITIONAL_ACE_MAX_LENGTH) {
+			/*
+			 * This is an edge case where the encoder and
+			 * decoder treat the boundary slightly
+			 * differently, and the encoder refuses to
+			 * encode to the maximum length. This is not
+			 * an issue in the real world.
+			 */
+			TALLOC_FREE(mem_ctx);
+			return 0;
+		}
 		abort();
 	}