mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2020-10704 libcli ldap: Check search request lengths.
Check the search request lengths against the limits passed to ldap_decode. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Gary Lockyer <gary@samba.org> Autobuild-Date(master): Mon May 4 04:40:10 UTC 2020 on sn-devel-184
This commit is contained in:
parent
3149ea0a8a
commit
bac809348a
@ -1175,3 +1175,10 @@ int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
|
||||
*packet_size = size;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the length of the ASN.1 data
|
||||
*/
|
||||
size_t asn1_get_length(const struct asn1_data *asn1) {
|
||||
return asn1->length;
|
||||
}
|
||||
|
@ -106,5 +106,6 @@ bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *pblob);
|
||||
void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len);
|
||||
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
|
||||
size_t asn1_get_length(const struct asn1_data *asn1);
|
||||
|
||||
#endif /* _ASN_1_H */
|
||||
|
@ -1259,7 +1259,11 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
|
||||
struct ldap_SearchRequest *r = &msg->r.SearchRequest;
|
||||
int sizelimit, timelimit;
|
||||
const char **attrs = NULL;
|
||||
size_t request_size = asn1_get_length(data);
|
||||
msg->type = LDAP_TAG_SearchRequest;
|
||||
if (request_size > limits->max_search_size) {
|
||||
goto prot_err;
|
||||
}
|
||||
if (!asn1_start_tag(data, tag)) goto prot_err;
|
||||
if (!asn1_read_OctetString_talloc(msg, data, &r->basedn)) goto prot_err;
|
||||
if (!asn1_read_enumerated(data, (int *)(void *)&(r->scope))) goto prot_err;
|
||||
|
Loading…
Reference in New Issue
Block a user