mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in the server. Note that you would actually need to load >256MB of data into the LDAP. Although there is some generated/hidden data which would help you reach that limit (descriptors and RMD blobs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
c835e27a99
commit
d2c98abde1
@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
|
||||
ret = data_blob_append(call, &blob, b.data, b.length);
|
||||
data_blob_free(&b);
|
||||
|
||||
talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
|
||||
|
||||
if (!ret) {
|
||||
ldapsrv_terminate_connection(conn, "data_blob_append failed");
|
||||
return;
|
||||
}
|
||||
|
||||
talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
|
||||
|
||||
DLIST_REMOVE(call->replies, call->replies);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user