librpc: Do not follow a NULL pointer when calculating the size of a structure

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index 6cc53b6e03a954f346aba91c715af3d467530acd..dc83cf35ffd96cd8f5d5c45554d6a30ce434d927 100644 (file)
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -1492,6 +1492,11 @@ _PUBLIC_ size_t ndr_size_struct(const void *p, int flags, ndr_push_flags_fn_t pu
        /* avoid recursion */
        if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0;
 
+       /* Avoid following a NULL pointer */
+       if (p == NULL) {
+               return 0;
+       }
+
        ndr = ndr_push_init_ctx(NULL);
        if (!ndr) return 0;
        ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE;

diff --git a/selftest/knownfail.d/ndrdump-NULL-struct b/selftest/knownfail.d/ndrdump-NULL-struct
deleted file mode 100644 (file)
index 8131b07..0000000
--- a/selftest/knownfail.d/ndrdump-NULL-struct
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE