1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-24 13:57:43 +03:00

librpc ndr: add recursion check macros

Add macros to check the recursion depth.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19280
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Gary Lockyer 2020-01-30 08:49:07 +13:00 committed by Andrew Bartlett
parent 23d285d349
commit ba518a1deb
5 changed files with 187 additions and 1 deletions

View File

@ -79,6 +79,14 @@ struct ndr_pull {
/* this is used to ensure we generate unique reference IDs
between request and reply */
uint32_t ptr_count;
uint32_t recursion_depth;
/*
* The global maximum depth for recursion. When set it overrides the
* value supplied by the max_recursion idl attribute. This is needed
* for fuzzing as ASAN uses a low threshold for stack depth to check
* for stack overflow.
*/
uint32_t global_max_recursion;
};
/* structure passed to functions that generate NDR formatted data */
@ -249,7 +257,9 @@ enum ndr_err_code {
NDR_ERR_UNREAD_BYTES,
NDR_ERR_NDR64,
NDR_ERR_FLAGS,
NDR_ERR_INCOMPLETE_BUFFER
NDR_ERR_INCOMPLETE_BUFFER,
NDR_ERR_MAX_RECURSION_EXCEEDED,
NDR_ERR_UNDERFLOW
};
#define NDR_ERR_CODE_IS_SUCCESS(x) (x == NDR_ERR_SUCCESS)
@ -357,6 +367,31 @@ enum ndr_compression_alg {
} \
} while(0)
#define NDR_RECURSION_CHECK(ndr, d) do { \
uint32_t _ndr_min_ = (d); \
if (ndr->global_max_recursion && ndr->global_max_recursion < (d)) { \
_ndr_min_ = ndr->global_max_recursion; \
} \
ndr->recursion_depth++; \
if (unlikely(ndr->recursion_depth > _ndr_min_)) { \
return ndr_pull_error( \
ndr, \
NDR_ERR_MAX_RECURSION_EXCEEDED, \
"Depth of recursion exceeds (%u)", \
(unsigned) d); \
} \
} while (0)
#define NDR_RECURSION_UNWIND(ndr) do { \
if (unlikely(ndr->recursion_depth == 0)) { \
return ndr_pull_error( \
ndr, \
NDR_ERR_UNDERFLOW, \
"ndr_pull.recursion_depth is 0"); \
} \
ndr->recursion_depth--; \
} while (0)
/* these are used to make the error checking on each element in libndr
less tedious, hopefully making the code more readable */
#define NDR_CHECK(call) do { \

View File

@ -1950,6 +1950,8 @@ static const struct {
{ NDR_ERR_UNREAD_BYTES, "Unread Bytes" },
{ NDR_ERR_NDR64, "NDR64 assertion error" },
{ NDR_ERR_INCOMPLETE_BUFFER, "Incomplete Buffer" },
{ NDR_ERR_MAX_RECURSION_EXCEEDED, "Maximum Recursion Exceeded" },
{ NDR_ERR_UNDERFLOW, "Underflow" },
{ 0, NULL }
};

View File

@ -0,0 +1,138 @@
/*
* Tests for librpc ndr functions
*
* Copyright (C) Catalyst.NET Ltd 2020
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
/*
* from cmocka.c:
* These headers or their equivalents should be included prior to
* including
* this header file.
*
* #include <stdarg.h>
* #include <stddef.h>
* #include <setjmp.h>
*
* This allows test applications to use custom definitions of C standard
* library functions and types.
*
*/
#include <stdarg.h>
#include <stddef.h>
#include <stdint.h>
#include <setjmp.h>
#include <cmocka.h>
#include "librpc/ndr/libndr.h"
/*
* Test NDR_RECURSION_CHECK.
*/
static enum ndr_err_code wrap_NDR_RECURSION_CHECK(
struct ndr_pull *ndr,
uint32_t bytes) {
NDR_RECURSION_CHECK(ndr, bytes);
return NDR_ERR_SUCCESS;
}
static void test_NDR_RECURSION_CHECK(void **state)
{
struct ndr_pull ndr = {0};
enum ndr_err_code err;
ndr.global_max_recursion = 0;
ndr.recursion_depth = 42;
err = wrap_NDR_RECURSION_CHECK(&ndr, 43);
assert_int_equal(NDR_ERR_SUCCESS, err);
assert_int_equal(43, ndr.recursion_depth);
ndr.global_max_recursion = 0;
ndr.recursion_depth = 43;
err = wrap_NDR_RECURSION_CHECK(&ndr, 43);
assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err);
assert_int_equal(44, ndr.recursion_depth);
ndr.global_max_recursion = 0;
ndr.recursion_depth = 44;
err = wrap_NDR_RECURSION_CHECK(&ndr, 43);
assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err);
assert_int_equal(45, ndr.recursion_depth);
ndr.global_max_recursion = 5;
ndr.recursion_depth = 5;
err = wrap_NDR_RECURSION_CHECK(&ndr, 20);
assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err);
assert_int_equal(6, ndr.recursion_depth);
ndr.global_max_recursion = 5;
ndr.recursion_depth = 4;
err = wrap_NDR_RECURSION_CHECK(&ndr, 20);
assert_int_equal(NDR_ERR_SUCCESS, err);
assert_int_equal(5, ndr.recursion_depth);
ndr.global_max_recursion = 20;
ndr.recursion_depth = 5;
err = wrap_NDR_RECURSION_CHECK(&ndr, 5);
assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err);
assert_int_equal(6, ndr.recursion_depth);
ndr.global_max_recursion = 20;
ndr.recursion_depth = 4;
err = wrap_NDR_RECURSION_CHECK(&ndr, 5);
assert_int_equal(NDR_ERR_SUCCESS, err);
assert_int_equal(5, ndr.recursion_depth);
}
/*
* Test NDR_RECURSION_RETURN.
*/
static enum ndr_err_code wrap_NDR_RECURSION_UNWIND(
struct ndr_pull *ndr) {
NDR_RECURSION_UNWIND(ndr);
return NDR_ERR_SUCCESS;
}
static void test_NDR_RECURSION_UNWIND(void **state)
{
struct ndr_pull ndr = {0};
enum ndr_err_code err;
ndr.recursion_depth = 5;
err = wrap_NDR_RECURSION_UNWIND(&ndr);
assert_int_equal(NDR_ERR_SUCCESS, err);
assert_int_equal(4, ndr.recursion_depth);
ndr.recursion_depth = 0;
err = wrap_NDR_RECURSION_UNWIND(&ndr);
assert_int_equal(NDR_ERR_UNDERFLOW, err);
assert_int_equal(0, ndr.recursion_depth);
}
int main(int argc, const char **argv)
{
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_NDR_RECURSION_CHECK),
cmocka_unit_test(test_NDR_RECURSION_UNWIND),
};
cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
return cmocka_run_group_tests(tests, NULL, NULL);
}

View File

@ -690,6 +690,15 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP_STATE',
#
# Cmocka tests
#
bld.SAMBA_BINARY('test_ndr_macros',
source='tests/test_ndr_macros.c',
deps='''
cmocka
ndr
''',
for_selftest=True)
bld.SAMBA_BINARY('test_ndr_string',
source='tests/test_ndr_string.c',
deps='''

View File

@ -1346,6 +1346,8 @@ plantestsuite("librpc.ndr.ndr_string", "none",
[os.path.join(bindir(), "test_ndr_string")])
plantestsuite("librpc.ndr.ndr", "none",
[os.path.join(bindir(), "test_ndr")])
plantestsuite("librpc.ndr.ndr_macros", "none",
[os.path.join(bindir(), "test_ndr_macros")])
# process restart and limit tests, these break the environment so need to run
# in their own specific environment