Add search request size limits to ldap_decode calls.
The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
--- /dev/null
+<samba:parameter name="ldap max search request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP search request.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">256000</value>
+<value type="example">4194304</value>
+</samba:parameter>
TALLOC_CTX *mem_ctx = talloc_init(__FUNCTION__);
struct asn1_data *asn1;
struct ldap_message *ldap_msg;
+ struct ldap_request_limits limits = {
+ /*
+ * The default size is currently 256000 bytes
+ */
+ .max_search_size = 256000
+ };
NTSTATUS status;
/*
goto out;
}
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
out:
talloc_free(mem_ctx);
lp_ctx, "ldap max anonymous request size", "256000");
lpcfg_do_global_parameter(
lp_ctx, "ldap max authenticated request size", "16777216");
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max search request size", "256000");
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
struct tevent_req *req;
};
+/*
+ * For CLDAP we limit the maximum search request size to 4kb
+ */
+#define MAX_SEARCH_REQUEST 4096
+
static int cldap_socket_destructor(struct cldap_socket *c)
{
while (c->searches.list) {
void *p;
struct cldap_search_state *search;
NTSTATUS status;
+ struct ldap_request_limits limits = {
+ .max_search_size = MAX_SEARCH_REQUEST
+ };
if (in->recv_errno != 0) {
goto error;
}
/* this initial decode is used to find the message id */
- status = ldap_decode(asn1, NULL, in->ldap_msg);
+ status = ldap_decode(asn1, &limits, NULL, in->ldap_msg);
if (!NT_STATUS_IS_OK(status)) {
goto nterror;
}
struct cldap_search_state);
struct ldap_message *ldap_msg;
NTSTATUS status;
+ struct ldap_request_limits limits = {
+ .max_search_size = MAX_SEARCH_REQUEST
+ };
if (tevent_req_is_nterror(req, &status)) {
goto failed;
goto nomem;
}
- status = ldap_decode(state->response.asn1, NULL, ldap_msg);
+ status = ldap_decode(state->response.asn1, &limits, NULL, ldap_msg);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
*io->out.response = ldap_msg->r.SearchResultEntry;
/* decode the 2nd part */
- status = ldap_decode(state->response.asn1, NULL, ldap_msg);
+ status = ldap_decode(
+ state->response.asn1, &limits, NULL, ldap_msg);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
/* This routine returns LDAP status codes */
_PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
+ const struct ldap_request_limits *limits,
const struct ldap_control_handler *control_handlers,
struct ldap_message *msg)
{
bool (*encode)(void *mem_ctx, void *in, DATA_BLOB *out);
};
+struct ldap_request_limits {
+ unsigned max_search_size;
+};
+
struct asn1_data;
struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx);
NTSTATUS ldap_decode(struct asn1_data *data,
+ const struct ldap_request_limits *limits,
const struct ldap_control_handler *control_handlers,
struct ldap_message *msg);
bool ldap_encode(struct ldap_message *msg,
NTSTATUS status;
uint8_t buf[0];
size_t len = 0;
+ struct ldap_request_limits limits = {
+ .max_search_size = 256000,
+ };
asn1 = asn1_init(test_ctx, ASN1_MAX_TREE_DEPTH);
ldap_msg = talloc(test_ctx, struct ldap_message);
assert_non_null(ldap_msg);
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
}
uint8_t *buffer = NULL;
const size_t BUFF_SIZE = 1048576;
size_t len;
+ struct ldap_request_limits limits = {
+ .max_search_size = 256000,
+ };
/*
ldap_msg = talloc(test_ctx, struct ldap_message);
assert_non_null(ldap_msg);
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
}
uint8_t *buffer = NULL;
const size_t BUFF_SIZE = 1048576;
size_t len;
+ struct ldap_request_limits limits = {
+ .max_search_size = 256000,
+ };
buffer = talloc_zero_array(test_ctx, uint8_t, BUFF_SIZE);
ldap_msg = talloc(test_ctx, struct ldap_message);
assert_non_null(ldap_msg);
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
assert_true(NT_STATUS_IS_OK(status));
}
uint8_t *buffer = NULL;
const size_t BUFF_SIZE = 1048576;
size_t len;
+ struct ldap_request_limits limits = {
+ .max_search_size = 256000,
+ };
buffer = talloc_zero_array(test_ctx, uint8_t, BUFF_SIZE);
ldap_msg = talloc(test_ctx, struct ldap_message);
assert_non_null(ldap_msg);
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status);
}
Globals.ldap_max_anonymous_request_size = 256000;
Globals.ldap_max_authenticated_request_size = 16777216;
+ Globals.ldap_max_search_request_size = 256000;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
struct asn1_data *asn1;
DATA_BLOB blob;
int ret = LDAP_SUCCESS;
+ struct ldap_request_limits limits = {0};
conn->sockets.read_req = NULL;
return;
}
- status = ldap_decode(asn1, samba_ldap_control_handlers(),
- call->request);
+ limits.max_search_size =
+ lpcfg_ldap_max_search_request_size(conn->lp_ctx);
+ status = ldap_decode(
+ asn1,
+ &limits,
+ samba_ldap_control_handlers(),
+ call->request);
if (!NT_STATUS_IS_OK(status)) {
ldapsrv_terminate_connection(conn, nt_errstr(status));
return;
struct ldap_message *msg;
struct asn1_data *asn1;
DATA_BLOB blob;
+ struct ldap_request_limits limits = {0};
msg = talloc_zero(conn, struct ldap_message);
if (msg == NULL) {
asn1_load_nocopy(asn1, blob.data, blob.length);
- status = ldap_decode(asn1, samba_ldap_control_handlers(), msg);
+ status = ldap_decode(asn1, &limits, samba_ldap_control_handlers(), msg);
asn1_free(asn1);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(msg);