libcli/security: claims_conversions: check for NULL in claims array

If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.

There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214)

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index bbba597385227261ec19356e50573407080bdd58..0d3b06de4fe8089bb1cba271fafe746ada22f0d6 100644 (file)
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -935,6 +935,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
                .case_sensitive = case_sensitive
        };
 
+       /*
+        * It could be that the values array contains a NULL pointer, in which
+        * case we don't need to worry about what type it is.
+        */
+       for (i = 0; i < claim->value_count; i++) {
+               if (claim->values[i].int_value == NULL) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+       }
+
        if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
                NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
                if (NT_STATUS_IS_OK(status)) {