librpc ndr: Infinite loop parsing Suplemental creds

Fuzzing by Michael Hanselmann found an infinite loop parsing a malformed
supplemental credentials structure.  There are no server-side
network-accessible calls using this code.

This patch adds an ndrdump blackbox test to replicate the issue.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py
index 92a6c090c48ecae4d267171d1bfe43cabdee5d6b..c92ff837e9bb72fc3541f077a3fef949d8710b42 100644 (file)
--- a/python/samba/tests/blackbox/ndrdump.py
+++ b/python/samba/tests/blackbox/ndrdump.py
@@ -261,3 +261,16 @@ dump OK
         # check_output will return bytes
         # convert expected to bytes for python 3
         self.assertEqual(actual, expected.encode('utf-8'))
+
+    def test_ndrdump_fuzzed_PackagesBlob(self):
+        expected = 'ndr_pull_string: ndr_pull_error\\(Buffer Size Error\\):'
+        command = (
+            "ndrdump drsblobs package_PackagesBlob struct --input='aw=='"
+            " --base64-input")
+        try:
+            actual = self.check_exit_code(command, 2)
+        except BlackboxProcessError as e:
+            self.fail(e)
+        # check_output will return bytes
+        # convert expected to bytes for python 3
+        self.assertRegex(actual.decode('utf8'), expected)

diff --git a/selftest/knownfail.d/bug-13874 b/selftest/knownfail.d/bug-13874
new file mode 100644 (file)
index 0000000..9603bac
--- /dev/null
+++ b/selftest/knownfail.d/bug-13874
@@ -0,0 +1 @@
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_PackagesBlob\(none\)