diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-01-24 10:41:35 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2020-02-07 08:53:40 +0000 |
| commit | ae6927e4f08dcea89729d8e54363e98effab6624 (patch) | |
| tree | 715637f6f2fcaddb15b8ac43630e9f688e66648f /python | |
| parent | c8e3c78d4f2a6f3e122fe458aa6835772290a700 (diff) | |
| download | samba-ae6927e4f08dcea89729d8e54363e98effab6624.tar.gz | |
librpc ndr: Heap-buffer-overflow in lzxpress_decompress
Reproducer for oss-fuzz Issue 20083
Project: samba
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT
Job Type: libfuzzer_asan_samba
Platform Id: linux
Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6040000002fd
Crash State:
lzxpress_decompress
ndr_pull_compression_xpress_chunk
ndr_pull_compression_start
Sanitizer: address (ASAN)
Recommended Security Severity: Medium
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/tests/blackbox/ndrdump.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index b3c837819b1..205519c3f8a 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -437,3 +437,16 @@ dump OK self.fail(e) self.assertEqual(actual, expected) + + def test_ndrdump_fuzzed_ndr_compression(self): + expected = 'pull returned Buffer Size Error' + command = ( + "ndrdump drsuapi 3 out --base64-input " + "--input BwAAAAcAAAAGAAAAAwAgICAgICAJAAAAICAgIAkAAAAgIAAA//////8=") + try: + actual = self.check_exit_code(command, 2) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertRegex(actual.decode('utf8'), expected + '$') |