mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
dbb3e65f7e
A DN string with lots of trailing space can cause ldb_dn_explode() to put a zero byte in the wrong place in the heap. When a DN string has a value represented with trailing spaces, like this "CN=foo ,DC=bar" the whitespace is supposed to be ignored. We keep track of this in the `t` pointer, which is NULL when we are not walking through trailing spaces, and points to the first space when we are. We are walking with the `p` pointer, writing the value to `d`, and keeping the length in `l`. "CN=foo ,DC= " ==> "foo " ^ ^ ^ t p d --l--- The value is finished when we encounter a comma or the end of the string. If `t` is not NULL at that point, we assume there are trailing spaces and wind `d and `l` back by the correct amount. Then we switch to expecting an attribute name (e.g. "CN"), until we get to an "=", which puts us back into looking for a value. Unfortunately, we forget to immediately tell `t` that we'd finished the last value, we can end up like this: "CN=foo ,DC= " ==> "" ^ ^ ^ t p d l=0 where `p` is pointing to a new value that contains only spaces, while `t` is still referring to the old value. `p` notices the value ends, and we subtract `p - t` from `d`: "CN=foo ,DC= " ==> ? "" ^ ^ ^ t p d l ~= SIZE_MAX - 8 At that point `d` wants to terminate its string with a '\0', but instead it terminates someone else's byte. This does not crash if the number of trailing spaces is small, as `d` will point into a previous value (a copy of "foo" in this example). Corrupting that value will ultimately not matter, as we will soon try to allocate a buffer `l` long, which will be greater than the available memory and the whole operation will fail properly. However, with more spaces, `d` will point into memory before the beginning of the allocated buffer, with the exact offset depending on the length of the earlier attributes and the number of spaces. What about a longer DN with more attributes? For example, "CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of bounds, won't we continue to use it and write more DN values into mystery memory? Fortunately not, because the aforementioned allocation of `l` bytes must happen first, and `l` is now huge. The allocation happens in a talloc_memdup(), which is by default restricted to allocating 256MB. So this allows a person who controls a string parsed by ldb_dn_explode to corrupt heap memory by placing a single zero byte at a chosen offset before the allocated buffer. An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker does not need proper credentials. The attacker can easily cause a denial of service and we cannot rule out more subtle attacks. The immediate solution is to reset `t` to NULL when a comma is encountered, indicating that we are no longer looking at trailing whitespace. Found with the help of Honggfuzz. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
||
---|---|---|
.. | ||
flapping.d | ||
gnupg | ||
knownfail.d | ||
manage-ca | ||
ns | ||
target | ||
checkpassword_arg1.sh | ||
create_smb1_fail_skipfile.txt | ||
devel_env.sh | ||
filter-subunit | ||
flapping | ||
format-subunit | ||
format-subunit-json | ||
gdb_backtrace | ||
gdb_backtrace_test.c | ||
gdb_run | ||
in_screen | ||
knownfail | ||
knownfail_heimdal_kdc | ||
knownfail_mit_kdc | ||
knownfail_mit_krb5_pre_1_18 | ||
no-python-tests.txt | ||
perf_tests.py | ||
quick | ||
README | ||
save.env.sh | ||
selftest.pl | ||
selftest.pl.1 | ||
selftesthelpers.py | ||
skip | ||
skip_mit_kdc | ||
skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X | ||
skip.opath-required | ||
slow | ||
slow-none | ||
SocketWrapper.pm | ||
Subunit.pm | ||
subunithelper.py | ||
tap2subunit | ||
tests.py | ||
TODO | ||
todo_smb2_tests_to_port.list | ||
ubsan.supp | ||
valgrind_run | ||
wscript |
# vim: ft=rst This directory contains test scripts that are useful for running a bunch of tests all at once. There are two parts to this: * The test runner (selftest/selftest.pl) * The test formatter selftest.pl simply outputs subunit, which can then be formatted or analyzed by tools that understand the subunit protocol. One of these tools is format-subunit, which is used by default as part of "make test". Available testsuites ==================== The available testsuites are obtained from a script, usually source{3,4}/selftest/tests.py. This script should for each testsuite output the name of the test, the command to run and the environment that should be provided. Use the included "plantest" function to generate the required output. Testsuite behaviour =================== Exit code ------------ The testsuites should exit with a non-zero exit code if at least one test failed. Skipped tests should not influence the exit code. Output format ------------- Testsuites can simply use the exit code to indicate whether all of their tests have succeeded or one or more have failed. It is also possible to provide more granular information using the Subunit protocol. This protocol works by writing simple messages to standard output. Any messages that can not be interpreted by this protocol are considered comments for the last announced test. For a full description of the subunit protocol, see the README file in the subunit repository at http://github.com/testing-cabal/subunit. The following commands are Samba extensions to Subunit: start-testsuite ~~~~~~~~~~~~~~~ start-testsuite: name The testsuite name is used as prefix for all containing tests. skip-testsuite ~~~~~~~~~~~~~~ skip-testsuite: name Mark the testsuite with the specified name as skipped. testsuite-success ~~~~~~~~~~~~~~~~~ testsuite-success: name Indicate that the testsuite has succeeded successfully. testsuite-fail ~~~~~~~~~~~~~~ testsuite-fail: name Indicate that a testsuite has failed. Environments ============ Tests often need to run against a server with particular things set up, a "environment". This environment is provided by the test "target": Samba 3, Samba 4 or Windows. The environments are currently available include - none: No server set up, no variables set. - dc,s3dc: Domain controller set up. The following environment variables will be set: * USERNAME: Administrator user name * PASSWORD: Administrator password * DOMAIN: Domain name * REALM: Realm name * SERVER: DC host name * SERVER_IP: DC IPv4 address * SERVER_IPV6: DC IPv6 address * NETBIOSNAME: DC NetBIOS name * NETIOSALIAS: DC NetBIOS alias - member,s4member,s3member: Domain controller and member server that is joined to it set up. The following environment variables will be set: * USERNAME: Domain administrator user name * PASSWORD: Domain administrator password * DOMAIN: Domain name * REALM: Realm name * SERVER: Name of the member server See Samba.pm, Samba3.pm and Samba4.pm for the full list. Running tests ============= To run all the tests use:: make test To run a quicker subset run:: make quicktest To run a specific test, use this syntax:: make test TESTS=testname for example:: make test TESTS=samba4.BASE-DELETE