The branch, master has been updated
via 1e2901e0619 librpc:ndr:keycredlink don't require that kmi be a
talloc_context
via 4c53c579578 s4:kdc:db-glue talloc steal pub_key data
via 23f0d365223 librpc:ndr:keycredlink clean up includes
from d41d9f8d29a docs: document serverid command
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1e2901e0619a8eae7c5211a76a39fd06ad21473b
Author: Gary Lockyer <[email protected]>
Date: Wed Aug 6 13:03:30 2025 +1200
librpc:ndr:keycredlink don't require that kmi be a talloc_context
This prevents fuzzing of ndr_pull_KeyMaterialInternal which we want. So
instead
allocate against the ndr talloc context, then the callers can talloc_steal,
memcpy the data as appropriate.
5 abort
6 talloc_abort samba/lib/talloc/talloc.c:506:3
7 talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
8 __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
9 __talloc samba/lib/talloc/talloc.c:825:9
10 _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/
fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13
REF: https://issues.oss-fuzz.com/issues/435760432
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Wed Aug 6 05:10:43 UTC 2025 on atb-devel-224
commit 4c53c579578155ac347b841d07497604d23ed02a
Author: Gary Lockyer <[email protected]>
Date: Wed Aug 6 13:00:32 2025 +1200
s4:kdc:db-glue talloc steal pub_key data
talloc_steal the data pointers of pub_key, modulus and exponent onto
pub_key.
To allow fuzz testing of ndr_pull_KeyMaterialInternal the
KeyMaterialInternal
struct may not be a talloc_context. So the data portions will be allocated
on
the ndr context.
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 23f0d36522358078aaffc4924729e7aef3d5489e
Author: Gary Lockyer <[email protected]>
Date: Wed Aug 6 12:58:45 2025 +1200
librpc:ndr:keycredlink clean up includes
Remove redundant and unused includes from librpc/ndr/ndr_keycredlink.c
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
librpc/ndr/ndr_keycredlink.c | 24 +++++++++---------------
source4/kdc/db-glue.c | 5 +++++
2 files changed, 14 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr_keycredlink.c b/librpc/ndr/ndr_keycredlink.c
index 286236060c4..0b9e327ed45 100644
--- a/librpc/ndr/ndr_keycredlink.c
+++ b/librpc/ndr/ndr_keycredlink.c
@@ -24,10 +24,8 @@
#include "lib/replace/replace.h"
-#include "librpc/gen_ndr/ndr_keycredlink.h"
-#include "gen_ndr/keycredlink.h"
+#include "gen_ndr/ndr_keycredlink.h"
#include "lib/util/data_blob.h"
-#include "lib/util/debug.h"
#include "libndr.h"
#include "librpc/gen_ndr/ndr_bcrypt_rsakey_blob.h"
#include "librpc/gen_ndr/ndr_tpm20_rsakey_blob.h"
@@ -637,7 +635,6 @@ static enum ndr_err_code read_integer(TALLOC_CTX *mem_ctx,
* @param[in,out] ndr ndr pull context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
*
* @return NDR_ERR_SUCCESS if successful
* The contents of kmi are undefined on an error
@@ -666,11 +663,13 @@ static enum ndr_err_code read_public_key(struct ndr_pull
*ndr,
}
/* modulus INTEGER */
- NDR_CHECK(read_integer(kmi, ndr, asn, "MODULUS", &kmi->modulus));
+ NDR_CHECK(read_integer(
+ ndr->current_mem_ctx, ndr, asn, "MODULUS", &kmi->modulus));
kmi->bit_size = (kmi->modulus.length * 8) - unused_bits;
/* public exponent INTEGER */
- NDR_CHECK(read_integer(kmi, ndr, asn, "EXPONENT", &kmi->exponent));
+ NDR_CHECK(read_integer(
+ ndr->current_mem_ctx, ndr, asn, "EXPONENT", &kmi->exponent));
if (!asn1_end_tag(asn)) { /* RSAPublicKey */
return ndr_pull_error(ndr,
@@ -692,7 +691,6 @@ static enum ndr_err_code read_public_key(struct ndr_pull
*ndr,
* @param[in,out] ndr ndr pull context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
* @param[in] size number of bytes to process from the ndr context
*
* @return NDR_ERR_SUCCESS if successful
@@ -768,7 +766,6 @@ out:
* @param[in,out] ndr ndr pull context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
*
* @return NDR_ERR_SUCCESS if successful
* The contents of kmi are undefined on an error
@@ -801,7 +798,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct
ndr_pull *ndr,
goto out_km;
}
kmi->bit_size = km->public_key.rsa_detail.keyBits;
- kmi->modulus = data_blob_talloc(kmi,
+ kmi->modulus = data_blob_talloc(ndr->current_mem_ctx,
km->public_key.rsa.buffer,
km->public_key.rsa.size);
if (kmi->modulus.data == NULL) {
@@ -812,7 +809,7 @@ static enum ndr_err_code pull_TPM20_RSAKEY_BLOB(struct
ndr_pull *ndr,
goto out_km;
}
- kmi->exponent = data_blob_talloc(kmi,
+ kmi->exponent = data_blob_talloc(ndr->current_mem_ctx,
km->public_key.rsa_detail.exponent,
TPM_RSA_EXPONENT_SIZE);
if (kmi->exponent.data == NULL) {
@@ -839,7 +836,6 @@ out:
* @param[in,out] ndr ndr pull context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
*
* @return NDR_ERR_SUCCESS if successful
* The contents of kmi are undefined on an error
@@ -875,7 +871,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB(
kmi->bit_size = km->bit_length;
- kmi->modulus = data_blob_talloc(kmi,
+ kmi->modulus = data_blob_talloc(ndr->current_mem_ctx,
km->modulus,
km->modulus_len);
if (kmi->modulus.data == NULL) {
@@ -886,7 +882,7 @@ static enum ndr_err_code pull_BCRYPT_RSAPUBLIC_BLOB(
goto out_km;
}
- kmi->exponent = data_blob_talloc(kmi,
+ kmi->exponent = data_blob_talloc(ndr->current_mem_ctx,
km->public_exponent,
km->public_exponent_len);
if (kmi->exponent.data == NULL) {
@@ -914,7 +910,6 @@ out:
* @param[in,out] ndr ndr pull context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
*
* @return NDR_ERR_SUCCESS if successful
* The contents of kmi are undefined on an error
@@ -980,7 +975,6 @@ enum ndr_err_code ndr_pull_KeyMaterialInternal(struct
ndr_pull *ndr,
* @param[in,out] ndr ndr push context
* @param[in] ndr_flags
* @param[out] kmi the KeyMaterialInternal structure to populate
- * kmi needs to be a talloc context.
*
* @note This is not currently implemented and will always return
* NDR_ERR_VALIDATE
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index f3e8bd9073c..a776dc008e6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1305,6 +1305,11 @@ static krb5_error_code unpack_key_credential_link_blob(
TALLOC_FREE(*pub_key);
goto out;
}
+ /*
+ * Steal modulus and exponent data from the ndr context onto the pub_key
+ */
+ talloc_steal(*pub_key, (*pub_key)->modulus.data);
+ talloc_steal(*pub_key, (*pub_key)->exponent.data);
out:
TALLOC_FREE(tmp_ctx);
--
Samba Shared Repository
