sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2021-10-22 16:03:18 +13:00 committed by Joseph Sutton
parent 32a46d01bb
commit ddde2b45c2
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
selftest/knownfail.d/ldap_spn
View File

@ -1,3 +1 @@
samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns
samba.tests.ldap_spn.+LdapSpnTest.test_spn_one_part_spns_no_slashes_
samba.tests.ldap_spn.+LdapSpnTest.test_spn_too_many_spn_parts

41
source4/dsdb/samdb/ldb_modules/samldb.c
View File

@ -3873,6 +3873,37 @@ static int check_spn_direct_collision(struct ldb_context *ldb,
}
static int count_spn_components(struct ldb_val val)
{
/*
* a 3 part servicePrincipalName has two slashes, like
* ldap/example.com/DomainDNSZones.example.com.
*
* In krb5_parse_name_flags() we don't count "\/" as a slash (i.e.
* escaped by a backslash), but this is not the behaviour of Windows
* on setting a servicePrincipalName -- slashes are counted regardless
* of backslashes.
*
* Accordingly, here we ignore backslashes. This will reject
* multi-slash SPNs that krb5_parse_name_flags() would accept, and
* allow ones in the form "a\/b" that it won't parse.
*/
size_t i;
int slashes = 0;
for (i = 0; i < val.length; i++) {
char c = val.data[i];
if (c == '/') {
slashes++;
if (slashes == 3) {
/* at this point we don't care */
return 4;
}
}
}
return slashes + 1;
}
/* Check that "servicePrincipalName" changes do not introduce a collision
* globally. */
static int samldb_spn_uniqueness_check(struct samldb_ctx *ac,
@ -3888,8 +3919,18 @@ static int samldb_spn_uniqueness_check(struct samldb_ctx *ac,
}
for (i = 0; i < spn_el->num_values; i++) {
int n_components;
spn = (char *)spn_el->values[i].data;
n_components = count_spn_components(spn_el->values[i]);
if (n_components > 3 || n_components < 2) {
ldb_asprintf_errstring(ldb,
"samldb: spn[%s] invalid with %u components",
spn, n_components);
talloc_free(tmp_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
ret = check_spn_direct_collision(ldb,
tmp_ctx,
spn,