diff options
| author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2020-12-18 17:58:56 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-04-28 02:15:36 +0000 |
| commit | 9ab0d65fc0e0b52a7c24c2ca0d2b951a83e40acd (patch) | |
| tree | 953f1a4eddcfd990c13079bff1cc49e59da047af /lib/fuzzing | |
| parent | dc96e9cfd5dad8e4586ef6214214f225fdf852c2 (diff) | |
| download | samba-9ab0d65fc0e0b52a7c24c2ca0d2b951a83e40acd.tar.gz | |
lib/fuzzing: add fuzzer for sddl_parse
Apart from catching crashes in the actual parsing, we abort if the SD
we end up with will not round trip back through SDDL to an identical
SD.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'lib/fuzzing')
| -rw-r--r-- | lib/fuzzing/fuzz_sddl_parse.c | 65 | ||||
| -rw-r--r-- | lib/fuzzing/wscript_build | 5 |
2 files changed, 70 insertions, 0 deletions
diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c new file mode 100644 index 00000000000..b6c48fb7ca5 --- /dev/null +++ b/lib/fuzzing/fuzz_sddl_parse.c @@ -0,0 +1,65 @@ +/* + Fuzz sddl decoding and encoding + Copyright (C) Catalyst IT 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libcli/security/security.h" +#include "fuzzing/fuzzing.h" + +#define MAX_LENGTH (100 * 1024 - 1) +static char sddl_string[MAX_LENGTH + 1] = {0}; +static struct dom_sid dom_sid = {0}; + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + string_to_sid(&dom_sid, + "S-1-5-21-2470180966-3899876309-2637894779"); + return 0; +} + + +int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) +{ + TALLOC_CTX *mem_ctx = NULL; + struct security_descriptor *sd1 = NULL; + struct security_descriptor *sd2 = NULL; + char *result = NULL; + bool ok; + + if (len > MAX_LENGTH) { + return 0; + } + + memcpy(sddl_string, input, len); + sddl_string[len] = '\0'; + + mem_ctx = talloc_new(NULL); + + sd1 = sddl_decode(mem_ctx, sddl_string, &dom_sid); + if (sd1 == NULL) { + goto end; + } + result = sddl_encode(mem_ctx, sd1, &dom_sid); + sd2 = sddl_decode(mem_ctx, result, &dom_sid); + ok = security_descriptor_equal(sd1, sd2); + if (!ok) { + abort(); + } +end: + talloc_free(mem_ctx); + return 0; +} diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build index ee3cfc14317..187c23c7cb8 100644 --- a/lib/fuzzing/wscript_build +++ b/lib/fuzzing/wscript_build @@ -32,6 +32,11 @@ bld.SAMBA_BINARY('fuzz_reg_parse', deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) +bld.SAMBA_BINARY('fuzz_sddl_parse', + source='fuzz_sddl_parse.c', + deps='fuzzing samba-security afl-fuzz-main', + fuzzer=True) + bld.SAMBA_BINARY('fuzz_nmblib_parse_packet', source='fuzz_nmblib_parse_packet.c', deps='fuzzing libsmb afl-fuzz-main', |