From: Douglas Bagnall Date: Wed, 13 Dec 2023 04:20:38 +0000 (+1300) Subject: libcli/security: allow round-trip for conditional ACE octal integers X-Git-Tag: talloc-2.4.2~333 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d33ed63147930377697535066fa96b9b4965ea41;p=thirdparty%2Fsamba.git libcli/security: allow round-trip for conditional ACE octal integers The string "00" will decode into an integer tagged as octal, but `snprintf("%#oll")` will write the string "0", which would decode as decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would not be the same as SD2. The effect is really only relevant to SDDL, which wants to remember what base the numbers were presented in, though the fuzzers and tests don't directly compare SDDL, which can have extra spaces and so forth. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c index d281e186a6c..46dd1714ba5 100644 --- a/libcli/security/sddl_conditional_ace.c +++ b/libcli/security/sddl_conditional_ace.c @@ -635,7 +635,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx, if (sign == CONDITIONAL_ACE_INT_SIGN_NONE) { /* octal and hex will end up unsigned! */ if (base == CONDITIONAL_ACE_INT_BASE_8) { - snprintf(buf, sizeof(buf), "%#"PRIo64, v); + snprintf(buf, sizeof(buf), "0%"PRIo64, v); } else if (base == CONDITIONAL_ACE_INT_BASE_10) { snprintf(buf, sizeof(buf), "%"PRId64, v); } else { @@ -673,7 +673,7 @@ static bool sddl_write_int(struct sddl_write_context *ctx, buf[0] = (v < 0) ? '-' : '+'; if (base == CONDITIONAL_ACE_INT_BASE_8) { - snprintf(buf + 1, sizeof(buf) - 1, "%#llo", llabs(v)); + snprintf(buf + 1, sizeof(buf) - 1, "0%llo", llabs(v)); } else { snprintf(buf + 1, sizeof(buf) - 1, "%#llx", llabs(v)); }