1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

63 Commits

Author SHA1 Message Date
Joseph Sutton
97e657b89b asn1: Remove unused function asn1_check_enumerated()
This function was reported as containing a bug, but it is unused and so
can be safely removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=4153

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  1 17:50:49 UTC 2021 on sn-devel-184
2021-04-01 17:50:49 +00:00
Douglas Bagnall
ed9abf94b3 utils/asn1: avoid undefined behaviour warning
UBSAN does not like an int >= 1<<24 being shifted left.
We check the overflow in the very next line.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25436

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep 11 05:05:59 UTC 2020 on sn-devel-184
2020-09-11 05:05:59 +00:00
Douglas Bagnall
9c3ff1b955 lib/util/asn1: avoid technically undefined shift
UBSAN says

 runtime error: left shift of 255 by 24 places cannot be represented in type 'int'

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22889

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-08-31 21:06:29 +00:00
Ralph Boehme
2327471756 lib: relicense smb_strtoul(l) under LGPLv3
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  3 22:21:04 UTC 2020 on sn-devel-184
2020-08-03 22:21:02 +00:00
Gary Lockyer
ac80001100 lib util ASN.1: Panic on ASN.1 tag mismatch
If the ASN.1 depth is zero in asn1_end_tag, call smb_panic. Rather than
ignoring the condition.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-10 21:45:38 +00:00
Gary Lockyer
3d2dd6296d lib util asn1: modernize debug calls
Replace DEBUG(0 with DBG_ERR(

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed May  6 22:53:02 UTC 2020 on sn-devel-184
2020-05-06 22:53:02 +00:00
Gary Lockyer
bac809348a CVE-2020-10704 libcli ldap: Check search request lengths.
Check the search request lengths against the limits passed to
ldap_decode.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon May  4 04:40:10 UTC 2020 on sn-devel-184
2020-05-04 04:40:10 +00:00
Gary Lockyer
767558d424 CVE-2020-10704: lib util asn1: Check parse tree depth
Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Gary Lockyer
f467727db5 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:31 +00:00
Jeremy Allison
2d5b7c9a50 lib: asn1.c: Prevent ASN1_ENUMERATED from wrapping.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14238

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <dbagnall@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 29 01:02:04 UTC 2020 on sn-devel-184
2020-01-29 01:02:03 +00:00
Swen Schillig
a8bbd60fd9 lib: Update all consumers of strtoul_err(), strtoull_err() to new API
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-06-30 11:32:18 +00:00
Gary Lockyer
412afb2aef Fix ubsan null pointer passed as argument 2
Fix ubsan warning null pointer passed as argument 2 when the source
pointer is NULL.  The calls to memcpy are now guarded by an
if (len > 0)

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon May 27 01:29:48 UTC 2019 on sn-devel-184
2019-05-27 01:29:48 +00:00
Swen Schillig
e7b7c634e8 common-lib: Use wrapper for string to integer conversion
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-01 00:32:11 +00:00
Andreas Schneider
02913d0888 lib:util: Fix undefined behavior in asn1 parser
lib/util/asn1.c:969 runtime error: left shift of negative value -1

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-22 22:13:27 +01:00
Douglas Bagnall
9bbd7d1c77 asn1: make readContextSimple() add a NUL byte
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-09 10:32:16 +01:00
Douglas Bagnall
8ca1e349eb ASN1: use a talloc context in read_contextSimple
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-09 10:32:16 +01:00
Jeremy Allison
1d26012ce8 asn1: Ensure asn1_tag_remaining() only ever returns -1 as an error condition.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 10 01:38:03 CET 2016 on sn-devel-144
2016-02-10 01:38:03 +01:00
Jeremy Allison
697088ef16 asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-02-09 22:29:12 +01:00
Volker Lendecke
f60f7a62e2 asn1: Protect against overlong tag lengths
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-09 22:29:11 +01:00
Volker Lendecke
372bf525bf asn1: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Volker Lendecke
e46e030ee2 asn1: Simplify _ber_read_OID_String_impl
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Volker Lendecke
f7583be442 asn1: Make asn1_peek_tag_needed_size static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-01-13 07:48:31 +01:00
Volker Lendecke
2aa1cf48fc asn1: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-01-13 07:48:31 +01:00
Volker Lendecke
11de99a6d8 asn1: Clean up includes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jan  7 19:12:22 CET 2016 on sn-devel-144
2016-01-07 19:12:21 +01:00
Volker Lendecke
d865ed2006 asn1: Make 'struct asn1_data' private
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
927bbed6aa asn1: Add asn1_current_ofs()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
2a5141a772 asn1: Add asn1_has_nesting
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
7b7aa016df asn1: Add asn1_extract_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
94b44598a5 asn1: Add asn1_set_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
fa207fe9d1 asn1: Add asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
ef8049b243 asn1: Make "struct nesting" private
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Volker Lendecke
f908e6560b asn1: Add some early returns
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Volker Lendecke
249202d8c0 asn1: Add overflow check to asn1_write
Found by pure code reading :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Volker Lendecke
ad630a681e asn1: Make asn1_peek_full_tag return 0/errno
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Volker Lendecke
45800223fd asn1: Remove an unused asn1 function
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:17 +01:00
Volker Lendecke
cccec44842 lib: Fix CID 1272834 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-24 00:00:20 +01:00
Jeremy Allison
b9d3fd4cc5 lib: util: Check *every* asn1 return call and early return.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 19 01:29:00 CEST 2014 on sn-devel-104
2014-09-19 01:29:00 +02:00
Jeff Layton
fec84112f3 asn1: fix use-after-free in asn1_write
On talloc_realloc failure, asn1_write calls talloc_free on an asn1_data
pointer and then tries to immediately set the has_error flag on it.

Skip the free and just set the has_error flag.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Oct 14 16:54:35 CEST 2013 on sn-devel-104
2013-10-14 16:54:34 +02:00
Andrew Bartlett
1013fab5f8 lib/util: Allocate enough space to reference blob->data[len]
Found by Thomas Hood <jdthood@gmail.com> using valgrind.

Thanks!

Andrew Bartlett
2012-07-13 08:12:17 +02:00
Jeremy Allison
e719dfd4dc Fix our asn.1 parser to handle negative numbers.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue May 24 22:57:16 CEST 2011 on sn-devel-104
2011-05-24 22:57:16 +02:00
Volker Lendecke
4981adcca3 asn1: Fix Coverity ID 2299, CHECKED_RETURN 2011-04-22 10:06:36 +02:00
Matthias Dieter Wallnöfer
3b591caed0 lib/util/asn1.c - remove the "const" specifier from OID
There is no reason to have it "const" since it's an allocated thing.
2010-12-21 15:10:37 +11:00
Kamen Mazdrashki
6b63ad6ff1 asn1: ber_write_OID_String() to be more picky about supplied OID
Now function will check for invalid OID handling cases where:
 - sub-identifier has invalid characters (non-digit)
 - 'dot' separator found on unexpected place. For instance
    '.' at start or end of the OID. Two '.' in a row.
2010-10-22 01:48:58 +03:00
Kamen Mazdrashki
d057ca3e3f lib/util/asn1.c: comment spelling 2010-10-20 13:12:17 +00:00
Stefan Metzmacher
59d00fc439 lib/util/asn1: let asn1_peek_full_tag() return an error if we fail to parse tag hdr/len
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct  4 14:46:40 UTC 2010 on sn-devel-104
2010-10-04 14:46:40 +00:00
Volker Lendecke
fc6e910e69 s3: Fix a 64-bit BUG
Quick explanation why this is a problem:

It is not safe to pass a pointer to a uint32_t into a routine that expects
a size_t *. The routine that this pointer is passed to has no chance to find
out that in reality it was passed a pointer to a uint32_t. On platforms where
sizeof(size_t)==8, we get a nice overwrite of a stack area that should not
be overwritten.

As this happens over an over again: Does someone know a means to make gcc
stop with an error in this case?

Volker
2010-10-02 11:17:49 +02:00
Stefan Metzmacher
182a69c5be lib/util/asn1: add asn1_peek_tag_needed_size() and asn1_peek_full_tag()
We need a way to ask for the length of a tag without having the full
buffer yet.

metze
2010-09-26 06:45:39 +02:00
Volker Lendecke
56940a28ff Fix an uninitialized variable 2010-03-21 21:01:28 +01:00
Matt Kraai
a7250eb142 Change uint_t to unsigned int in lib/util
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-02-02 07:18:17 +01:00
Kamen Mazdrashki
f11cdc19d1 s4/asn1: Use explicite TALLOC_CTX in ber_write_OID functions 2009-10-16 12:54:13 +03:00