git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3f95957)
CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
authorAndrew Bartlett <abartlet@samba.org>
Mon, 21 May 2018 03:20:26 +0000 (15:20 +1200)
committerKarolin Seeger <kseeger@samba.org>
Tue, 14 Aug 2018 11:57:15 +0000 (13:57 +0200)
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

lib/ldb/ldb_key_value/ldb_kv_index.c patch | blob | history

diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c
index fda55dd548f1da39da39c9d0d29f6f2187920a28..4e9d9043bfd59bba60f66012f89fa124a61501f4 100644 (file)
--- a/lib/ldb/ldb_key_value/ldb_kv_index.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c
@@ -1172,6 +1172,7 @@ static int ldb_kv_index_dn_leaf(struct ldb_module *module,
        }
        if (ldb_attr_dn(tree->u.equality.attr) == 0) {
                enum key_truncation truncation = KEY_NOT_TRUNCATED;
        }
        if (ldb_attr_dn(tree->u.equality.attr) == 0) {
                enum key_truncation truncation = KEY_NOT_TRUNCATED;
+               bool valid_dn = false;
                struct ldb_dn *dn
                        = ldb_dn_from_ldb_val(list,
                                              ldb_module_get_ctx(module),
                struct ldb_dn *dn
                        = ldb_dn_from_ldb_val(list,
                                              ldb_module_get_ctx(module),
@@ -1183,6 +1184,14 @@ static int ldb_kv_index_dn_leaf(struct ldb_module *module,
                        return LDB_SUCCESS;
                }
 
                        return LDB_SUCCESS;
                }
 
+               valid_dn = ldb_dn_validate(dn);
+               if (valid_dn == false) {
+                       /* If we can't parse it, no match */
+                       list->dn = NULL;
+                       list->count = 0;
+                       return LDB_SUCCESS;
+               }
+
                /*
                 * Re-use the same code we use for a SCOPE_BASE
                 * search
                /*
                 * Re-use the same code we use for a SCOPE_BASE
                 * search
Samba Shared Repository