2 Fuzz sddl decoding and encoding
3 Copyright (C) Catalyst IT 2023
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "libcli/security/security.h"
21 #include "librpc/gen_ndr/conditional_ace.h"
22 #include "fuzzing/fuzzing.h"
23 #include "util/charset/charset.h"
25 #define MAX_LENGTH (100 * 1024 - 1)
26 static char sddl_string
[MAX_LENGTH
+ 1] = {0};
27 static struct dom_sid dom_sid
= {0};
29 int LLVMFuzzerInitialize(int *argc
, char ***argv
)
31 string_to_sid(&dom_sid
,
32 "S-1-5-21-2470180966-3899876309-2637894779");
37 int LLVMFuzzerTestOneInput(const uint8_t *input
, size_t len
)
39 TALLOC_CTX
*mem_ctx
= NULL
;
40 struct security_descriptor
*sd1
= NULL
;
41 struct security_descriptor
*sd2
= NULL
;
45 if (len
> MAX_LENGTH
) {
49 memcpy(sddl_string
, input
, len
);
50 sddl_string
[len
] = '\0';
52 mem_ctx
= talloc_new(NULL
);
54 sd1
= sddl_decode(mem_ctx
, sddl_string
, &dom_sid
);
58 result
= sddl_encode(mem_ctx
, sd1
, &dom_sid
);
61 * Because Samba currently doesn't enforce strict
62 * utf-8 parsing, illegal utf-8 sequences in
63 * sddl_string could have ferried bad characters
64 * through into the security descriptor conditions
65 * that we then find we can't encode.
67 * The proper solution is strict UTF-8 enforcement in
68 * sddl_decode, but for now we forgive unencodable
69 * security descriptors made from bad utf-8.
71 size_t byte_len
, char_len
, utf16_len
;
72 ok
= utf8_check(sddl_string
, len
,
73 &byte_len
, &char_len
, &utf16_len
);
77 /* utf-8 was fine, but we couldn't encode! */
81 sd2
= sddl_decode(mem_ctx
, result
, &dom_sid
);
83 if (strlen(result
) > CONDITIONAL_ACE_MAX_LENGTH
) {
85 * This could fail if a unicode string or
86 * attribute name that contains escapable
87 * bytes (e.g '\x0b') in an unescaped form in
88 * the original string ends up with them in
89 * the escaped form ("%000b") in the result
90 * string, making the entire attribute name
91 * too long for the arbitrary limit we set for
92 * SDDL attribute names.
94 * We could increase that arbitrary limit (to,
95 * say, CONDITIONAL_ACE_MAX_LENGTH * 5), but
96 * that is getting very far from real world
103 ok
= security_descriptor_equal(sd1
, sd2
);
108 talloc_free(mem_ctx
);