CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode

Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/ldap/ldap_message.c

@@ -1162,6 +1162,7 @@ static bool ldap_decode_attribs(TALLOC_CTX *mem_ctx, struct asn1_data *data,
 /* This routine returns LDAP status codes */
 
 _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
+			      const struct ldap_request_limits *limits,
 			      const struct ldap_control_handler *control_handlers,
 			      struct ldap_message *msg)
 {

libcli/ldap/ldap_message.h

@@ -213,10 +213,15 @@ struct ldap_control_handler {
 	bool (*encode)(void *mem_ctx, void *in, DATA_BLOB *out);
 };
 
+struct ldap_request_limits {
+	unsigned max_search_size;
+};
+
 struct asn1_data;
 
 struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx);
 NTSTATUS ldap_decode(struct asn1_data *data,
+	             const struct ldap_request_limits *limits,
 		     const struct ldap_control_handler *control_handlers,
 		     struct ldap_message *msg);
 bool ldap_encode(struct ldap_message *msg,

libcli/ldap/tests/ldap_message_test.c

@@ -117,6 +117,9 @@ static void test_empty_input(void **state)
 	NTSTATUS status;
 	uint8_t buf[0];
 	size_t len = 0;
+	struct ldap_request_limits limits = {
+		.max_search_size = 256000,
+	};
 
 
 	asn1 = asn1_init(test_ctx, ASN1_MAX_TREE_DEPTH);
@@ -127,7 +130,8 @@ static void test_empty_input(void **state)
 	ldap_msg = talloc(test_ctx, struct ldap_message);
 	assert_non_null(ldap_msg);
 
-	status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+	status = ldap_decode(
+		asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
 	assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
 }
 
@@ -149,6 +153,9 @@ static void test_recursion_depth_large(void **state)
 	uint8_t *buffer = NULL;
 	const size_t BUFF_SIZE = 1048576;
 	size_t len;
+	struct ldap_request_limits limits = {
+		.max_search_size = 256000,
+	};
 
 
 	/*
@@ -169,7 +176,8 @@ static void test_recursion_depth_large(void **state)
 	ldap_msg = talloc(test_ctx, struct ldap_message);
 	assert_non_null(ldap_msg);
 
-	status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+	status = ldap_decode(
+		asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
 	assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
 }
 
@@ -189,6 +197,9 @@ static void test_recursion_depth_equals_max(void **state)
 	uint8_t *buffer = NULL;
 	const size_t BUFF_SIZE = 1048576;
 	size_t len;
+	struct ldap_request_limits limits = {
+		.max_search_size = 256000,
+	};
 
 
 	buffer = talloc_zero_array(test_ctx, uint8_t, BUFF_SIZE);
@@ -205,7 +216,8 @@ static void test_recursion_depth_equals_max(void **state)
 	ldap_msg = talloc(test_ctx, struct ldap_message);
 	assert_non_null(ldap_msg);
 
-	status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+	status = ldap_decode(
+		asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
 	assert_true(NT_STATUS_IS_OK(status));
 }
 
@@ -225,6 +237,9 @@ static void test_recursion_depth_greater_than_max(void **state)
 	uint8_t *buffer = NULL;
 	const size_t BUFF_SIZE = 1048576;
 	size_t len;
+	struct ldap_request_limits limits = {
+		.max_search_size = 256000,
+	};
 
 
 	buffer = talloc_zero_array(test_ctx, uint8_t, BUFF_SIZE);
@@ -241,7 +256,8 @@ static void test_recursion_depth_greater_than_max(void **state)
 	ldap_msg = talloc(test_ctx, struct ldap_message);
 	assert_non_null(ldap_msg);
 
-	status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+	status = ldap_decode(
+		asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
 	assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
 }