CVE-2018-16851 ldap_server: Check ret before manipulating blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index f6329f05c5a011cc6e32b2784f02604a07a4b3b9..783823043dc4990d8329f5036dbebce9d736a63e 100644 (file)
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
                ret = data_blob_append(call, &blob, b.data, b.length);
                data_blob_free(&b);
 
-               talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
                if (!ret) {
                        ldapsrv_terminate_connection(conn, "data_blob_append failed");
                        return;
                }
 
+               talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
                DLIST_REMOVE(call->replies, call->replies);
        }