From b3f92b475c31bd2a4423c7531c62cc621bb102e6 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 21 Sep 2023 15:03:23 +1200 Subject: [PATCH] lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings There is a borderline case where a conditional ACE unicode string becomes longer than the SDDL parser wants to handle when control characters are given canonical escaping. This can make the round trip fail, but it isn't really a problem. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- lib/fuzzing/fuzz_sddl_parse.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c index 1f8c32c595b..be85ce4f7ee 100644 --- a/lib/fuzzing/fuzz_sddl_parse.c +++ b/lib/fuzzing/fuzz_sddl_parse.c @@ -18,6 +18,7 @@ #include "includes.h" #include "libcli/security/security.h" +#include "librpc/gen_ndr/conditional_ace.h" #include "fuzzing/fuzzing.h" #define MAX_LENGTH (100 * 1024 - 1) @@ -55,6 +56,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) } result = sddl_encode(mem_ctx, sd1, &dom_sid); sd2 = sddl_decode(mem_ctx, result, &dom_sid); + if (sd2 == NULL) { + if (strlen(result) > CONDITIONAL_ACE_MAX_LENGTH) { + /* + * This could fail if a unicode string or + * attribute name that contains escapable + * bytes (e.g '\x0b') in an unescaped form in + * the original string ends up with them in + * the escaped form ("%000b") in the result + * string, making the entire attribute name + * too long for the arbitrary limit we set for + * SDDL attribute names. + * + * We could increase that arbitrary limit (to, + * say, CONDITIONAL_ACE_MAX_LENGTH * 5), but + * that is getting very far from real world + * needs. + */ + goto end; + } + abort(); + } ok = security_descriptor_equal(sd1, sd2); if (!ok) { abort();