CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
authorAndrew Bartlett <abartlet@samba.org>
Mon, 21 May 2018 03:20:26 +0000 (15:20 +1200)
committerKarolin Seeger <kseeger@samba.org>
Sat, 11 Aug 2018 06:16:04 +0000 (08:16 +0200)
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

lib/ldb/ldb_tdb/ldb_index.c

index 682469396ce2ea12df3eb2c932fba502c7709f92..429c8f5aa247da6edff698d6acfffbb94d21ab9e 100644 (file)
@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
                return LDB_SUCCESS;
        }
        if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+               bool valid_dn = false;
                struct ldb_dn *dn
                        = ldb_dn_from_ldb_val(list,
                                              ldb_module_get_ctx(module),
@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
                        return LDB_SUCCESS;
                }
 
+               valid_dn = ldb_dn_validate(dn);
+               if (valid_dn == false) {
+                       /* If we can't parse it, no match */
+                       list->dn = NULL;
+                       list->count = 0;
+                       return LDB_SUCCESS;
+               }
+
                /*
                 * Re-use the same code we use for a SCOPE_BASE
                 * search