1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

7576 Commits

Author SHA1 Message Date
Jeremy Allison
a0934daa71 lib: util: Add a function nt_time_to_unix_timespec_raw().
Not yet used. Does no checks on the converted values.

A later cleanup will allow us to move nt_time_to_unix_timespec()
and nt_time_to_full_timespec() to use common code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit 29d69c22a0)
2022-01-12 11:11:15 +00:00
Andrew Bartlett
08c9016cb9 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
The LDB filter processing is where the time is spent in the LDB stack
but the timeout event will not get run while this is ongoing, so we
must confirm we have not yet timed out manually.

RN: Ensure that the LDB request has not timed out during filter processing
as the LDAP server MaxQueryDuration is otherwise not honoured.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1d5b155619)
2021-12-02 10:33:13 +00:00
Ralph Boehme
4a106c2322 lib: handle NTTIME_THAW in nt_time_to_full_timespec()
Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some
mangled value down to the VFS set timestamps function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
RN: Avoid storing NTTIME_THAW (-2) as value on disk

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6ed71ad7e6)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Nov 10 15:54:35 UTC 2021 on sn-devel-184
2021-11-10 15:54:35 +00:00
Ralph Boehme
7e1a65ed98 lib: add a test for null_nttime(NTTIME_THAW)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 194faa7616)
2021-11-10 14:37:13 +00:00
Ralph Boehme
38ac4c0947 lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically and
null_nttime() must not lie about their nature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 5503bde93b)
2021-11-10 14:37:13 +00:00
Ralph Boehme
f8fec80020 lib: use NTTIME_FREEZE in a null_nttime() test
No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e2740e4868)
2021-11-10 14:37:13 +00:00
Ralph Boehme
43f873d52a lib: fix null_nttime() tests
The test was checking -1 twice:

	torture_assert(tctx, null_nttime(-1), "-1");
	torture_assert(tctx, null_nttime(-1), "-1");

The first line was likely supposed to test the value "0".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit d84779302c)
2021-11-10 14:37:13 +00:00
Ralph Boehme
ac6f4c093b lib: add NTTIME_THAW
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f73aff502c)
2021-11-10 14:37:13 +00:00
Alexander Bokovoy
c219b832d9 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-08 10:46:43 +01:00
Samuel Cabrero
adb6620043 CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[abartlet@samba.org Backported from master/4.15 due to
 conflicts with other new parameters]
2021-11-08 10:46:43 +01:00
Stefan Metzmacher
5e3b924cb3 ldb: version 2.3.2
Backport all C code changes from ldb-2.4.1
to be available for Samba 4.14.x

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Tue Nov  2 21:47:27 UTC 2021 on sn-devel-184
2021-11-02 21:47:27 +00:00
Andreas Schneider
7a1128cb9a lib:ldb-samba: Improve calculate_popt_array_length()
Note that memcmp() doesn't work well with padding bytes. So avoid it!

(gdb) ptype/o struct poptOption
/* offset    |  size */  type = struct poptOption {
/*    0      |     8 */    const char *longName;
/*    8      |     1 */    char shortName;
/* XXX  3-byte hole  */
/*   12      |     4 */    unsigned int argInfo;
/*   16      |     8 */    void *arg;
/*   24      |     4 */    int val;
/* XXX  4-byte hole  */
/*   32      |     8 */    const char *descrip;
/*   40      |     8 */    const char *argDescrip;

                           /* total size (bytes):   48 */

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c2c7c1f50a)
2021-11-02 20:36:16 +00:00
Andreas Schneider
48f3f52c1b lib:ldb: Use C99 initializers for builtin_popt_options[]
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a593065c7f)
2021-11-02 20:36:16 +00:00
Björn Baumbach
7158c94706 pyldb: fix a typo
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Rowland penny <rpenny@samba.org>
(cherry picked from commit 6fcde09f09)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
e6aff15a77 ldb: improve comments for ldb_module_connect_backend()
There is no flags argument.
There are more URI forms.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 48068a58df)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
461096c521 ldb: correct comments in attrib_handers val_to_int64
c.f. the identical static function in lib/ldb-samba/ldif_handlers.c

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 46e6f6ef84)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
e4741f2a11 ldb.h: remove undefined async_ctx function signatures
These functions do not exist.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1a05b58eda)
2021-11-02 20:36:16 +00:00
Andreas Schneider
65cdcb4848 lib:ldb: Add missing break in switch statement
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1ffacac547)
2021-11-02 20:36:16 +00:00
Joseph Sutton
2c8091ab97 pyldb: Fix Message.items() for a message containing elements
Previously, message elements were being freed before the call to
Py_BuildValue(), resulting in an exception being raised. Additionally,
only the first element of the returned list was ever assigned to.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3e4ec0a90a)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
7c3f03589a ldb_match: remove redundant check
We already ensure the no-trailing-asterisk case ends at the end of the
string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa93339978)
2021-11-02 20:36:16 +00:00
Stefan Metzmacher
0a794271f8 pyldb: catch potential overflow error in py_timestring
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 71e8b24b8a)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
3e2a1671d6 ldb: fix ldb_comparison_fold off-by-one overrun
We run one character over in comparing all the bytes in two ldb_vals.

In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b2f4f5194)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
1870e5b46c ldb_match: trailing chunk must match end of string
A wildcard search is divided into chunks by the asterisks. While most
chunks match the first suitable string, the last chunk matches the
last possible string (unless there is a trailing asterisk, in which
case this distinction is moot).

We always knew this in our hearts, but we tried to do it in a funny
complicated way that stepped through the string, comparing here and
there, leading to CVE-2019-3824 and missed matches (bug 14044).

With this patch, we just jump to the end of the string and compare it.
As well as being correct, this should also improve performance, as the
previous algorithm involved a quadratic loop of erroneous memmem()s.

See https://tools.ietf.org/html/rfc4517

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cc098f1cad)
2021-11-02 20:36:16 +00:00
Douglas Bagnall
4548760ee8 ldb/attrib_handler casefold: simplify space dropping
As seen in CVE-2021-20277, ldb_handler_fold() has been making mistakes
when collapsing spaces down to a single space.

This patch fixes the way it handles internal spaces (CVE-2021-20277
was about leading spaces), and involves a rewrite of the parsing loop.

The bug has a detailed description of the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  7 03:16:39 UTC 2021 on sn-devel-184
(cherry picked from commit  24ddc1ca9c)
2021-11-02 20:36:16 +00:00
Andrew Bartlett
c1d2a0570d ldb: Release ldb 2.3.1
* Corrected python behaviour for 'in' for LDAP attributes
  contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
2021-10-26 13:03:37 +00:00
Joseph Sutton
e425abeb7d pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.

Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 860d8902a9)
2021-10-26 12:00:28 +00:00
Joseph Sutton
fabd904977 pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 865fe23859)
2021-10-26 12:00:28 +00:00
Joseph Sutton
588749ba7b pyldb: Raise TypeError for an invalid ldb.Message index
Previously, a TypeError was raised and subsequently overridden by a
KeyError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 22353767ca)
2021-10-26 12:00:28 +00:00
Joseph Sutton
a78c94440b pyldb: Add test for an invalid ldb.Message index type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b018e51d27)
2021-10-26 12:00:28 +00:00
Joseph Sutton
d8f3019479 pyldb: Fix deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9d25a21d60)
2021-10-26 12:00:28 +00:00
Joseph Sutton
2bb74e48c7 pyldb: Fix deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org backported from commit d7af772de8
 due to conflicts in knownfail.d/python-segfaults]
2021-10-26 12:00:28 +00:00
Joseph Sutton
33e8ef79d4 Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep  4 00:55:32 UTC 2021 on sn-devel-184

(cherry picked from commit 02b1873033)
2021-10-26 12:00:28 +00:00
Andrew Bartlett
6b5aba80e6 lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues  (DEADCODE)

This was a regression in 5eeb441b77.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184

(cherry picked from commit 5094d986b7)
2021-10-26 12:00:28 +00:00
Andrew Bartlett
51324ea4a6 dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184

(cherry picked from commit 5eeb441b77)
2021-10-26 12:00:28 +00:00
Joseph Sutton
5a90b3e832 pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

[abartlet@samba.org backported from commit
 19a2af02f5 due to conflicts in
 the knownfail.d/python-segfaults file]

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184
2021-09-29 13:14:22 +00:00
Joseph Sutton
9d61f2f2f3 ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2bbe774ce)
2021-09-29 12:13:10 +00:00
Joseph Sutton
de40f47cfa python: Ensure reference counts are properly incremented
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 290c1dc097)
2021-09-16 06:50:11 +00:00
Ralph Boehme
a25b75b2ca lib: add sys_io_ranges_overlap()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4f1a02909b)
2021-08-11 09:54:14 +00:00
Ralph Boehme
d5d6bbaa93 replace: copy_file_range()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4dcc04228d)
2021-08-11 09:54:14 +00:00
Andreas Schneider
5611a6999c lib:replace: Do not build strndup test with gcc 11 or newer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14699

gcc11 with -O3 detects that the size is incorrect:

lib/replace/tests/testsuite.c:286:13: error: ‘strndup’ specified bound 10 exceeds source size 4 [-Werror=stringop-overread]
  286 |         x = strndup("bla", 10);
      |             ^~~~~~~~~~~~~~~~~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 8f12793ca5)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed May 12 09:07:45 UTC 2021 on sn-devel-184
2021-05-12 09:07:45 +00:00
Stefan Metzmacher
f31a64c133 ldb: version 2.3.0
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-03-24 10:23:06 +01:00
Douglas Bagnall
2d82f0e1b8 CVE-2020-27840: pytests: move Dn.validate test to ldb
We had the test in the Samba Python segfault suite because
a) the signal catching infrastructure was there, and
b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
   assert the failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-19 08:52:23 +01:00
Douglas Bagnall
f89767bea7 CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.

When a DN string has a value represented with trailing spaces,
like this

     "CN=foo   ,DC=bar"

the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.

     "CN=foo   ,DC= "       ==>       "foo   "
            ^  ^                             ^
            t  p                             d
                                       --l---

The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.

Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:

     "CN=foo   ,DC= "       ==>        ""
            ^      ^                    ^
            t      p                    d
                                        l=0

where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:

     "CN=foo   ,DC= "       ==>  ?     ""
            ^       ^            ^
            t       p            d
                                      l ~= SIZE_MAX - 8

At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.

However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.

What about a longer DN with more attributes? For example,
"CN=foo     ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.

So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.

An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.

The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.

Found with the help of Honggfuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-19 08:52:23 +01:00
Douglas Bagnall
fab6b79b77 CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry-picked from commit for master)
2021-03-19 08:51:01 +01:00
Andrew Bartlett
50e44877c3 CVE-2021-20277 ldb: Remove tests from ldb_match_test that do not pass
This reverts some of the backport of 33a95a1e75

This is done here rather than squashed in the cherry-pick of the expanded testsuite
because it allows this commit to be simply reverted for the backport of bug 14044
if this lands first, or to be dropped if bug 14044 lands first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-03-19 08:51:01 +01:00
Douglas Bagnall
1d966cb12e CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
2021-03-19 08:51:01 +01:00
Douglas Bagnall
ff12bd2fa1 ldb: add tests for ldb_wildcard_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry-picked from commit 33a95a1e75)
2021-03-19 08:51:01 +01:00
Andreas Schneider
938b89616a lib:util: Avoid free'ing our own pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0bdbe50fac)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Tue Feb  9 13:31:03 UTC 2021 on sn-devel-184
2021-02-09 13:31:03 +00:00
Andreas Schneider
27d93c8d46 lib:util: Add cache oversize test for memcache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00543ab3b2)
2021-02-09 12:27:16 +00:00
Andreas Schneider
805b8be949 lib:util: Add basic memcache unit test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bebbf621d6)
2021-02-09 12:27:16 +00:00