libcli/security: claims_conversions: check for NULL in claims array

If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.

There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214)

libcli/security/claims-conversions.c

@@ -935,6 +935,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
 		.case_sensitive = case_sensitive
 	};
 
+	/*
+	 * It could be that the values array contains a NULL pointer, in which
+	 * case we don't need to worry about what type it is.
+	 */
+	for (i = 0; i < claim->value_count; i++) {
+		if (claim->values[i].int_value == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
 	if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
 		NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
 		if (NT_STATUS_IS_OK(status)) {