From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 21 May 2018 03:20:26 +0000 (+1200)
Subject: CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
X-Git-Tag: ldb-1.5.0~3
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=b27d973341144a03db8dc824bfb3e5c65868fe7e;p=samba.git

CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use

ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
---

diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c
index fda55dd548f..4e9d9043bfd 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_index.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c
@@ -1172,6 +1172,7 @@ static int ldb_kv_index_dn_leaf(struct ldb_module *module,
 	}
 	if (ldb_attr_dn(tree->u.equality.attr) == 0) {
 		enum key_truncation truncation = KEY_NOT_TRUNCATED;
+		bool valid_dn = false;
 		struct ldb_dn *dn
 			= ldb_dn_from_ldb_val(list,
 					      ldb_module_get_ctx(module),
@@ -1183,6 +1184,14 @@ static int ldb_kv_index_dn_leaf(struct ldb_module *module,
 			return LDB_SUCCESS;
 		}
 
+		valid_dn = ldb_dn_validate(dn);
+		if (valid_dn == false) {
+			/* If we can't parse it, no match */
+			list->dn = NULL;
+			list->count = 0;
+			return LDB_SUCCESS;
+		}
+
 		/*
 		 * Re-use the same code we use for a SCOPE_BASE
 		 * search