[SCM] Samba Shared Repository - branch v4-11-stable updated
Karolin Seeger
kseeger at samba.org
Tue Apr 28 07:21:01 UTC 2020
The branch, v4-11-stable has been updated
via 86c951a1336 VERSION: Disable GIT_SNAPSHOT for the 4.11.8 release.
via b720477b57f WHATSNEW: Add release notes for Samba 4.11.8.
via 40a58a973c0 CVE-2020-10704 libcli ldap: Check search request lengths.
via 458b014a4d1 CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
via 5cf90961748 CVE-2020-10704: S4 ldap server: Limit request sizes
via fde64820294 CVE-2020-10704: smb.conf: Add max ldap request sizes
via e5c4b58314e CVE-2020-10704: ldapserver tests: Limit search request sizes
via ef35bb12674 CVE-2020-10704: lib util asn1: Check parse tree depth
via f9d5c246f8a CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
via f931ec7b387 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
via 2a611988cac CVE-2020-10700: ldb: Bump version up to 2.0.10.
via 980831bb97c CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results
via 24e621b4dde CVE-2020-10700: ldb: Always use ldb_next_request() in ASQ module
via ffd2779db53 CVE-2020-10700: dsdb: Add test for ASQ and ASQ in combination with paged_results
via 71bc0ab02b3 VERSION: Bump version up to 4.11.8...
from 664f5488733 VERSION: Disable GIT_SNAPSHOT for the 4.11.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable
- Log -----------------------------------------------------------------
commit 86c951a1336b2073f35c9ccc16673b6f99251fcc
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 21 13:23:38 2020 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.11.8 release.
o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit b720477b57f565b9986dec2cebb051b661d253c5
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 21 13:23:09 2020 +0200
WHATSNEW: Add release notes for Samba 4.11.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 40a58a973c0cfb7b259198c8f5df15ada39240ab
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Apr 8 10:46:44 2020 +1200
CVE-2020-10704 libcli ldap: Check search request lengths.
Check the search request lengths against the limits passed to
ldap_decode.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 458b014a4d10e89f99cc0b54a815b50d6c817dce
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Apr 8 08:49:23 2020 +1200
CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls.
The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5cf90961748bfcbd8781317a9a80f4ca806a19fb
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Apr 8 15:32:22 2020 +1200
CVE-2020-10704: S4 ldap server: Limit request sizes
Check the size of authenticated and anonymous ldap requests and reject
them if they exceed the limits in smb.conf
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fde648202947e96deb911ac1f6941455fc272468
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Apr 7 09:09:01 2020 +1200
CVE-2020-10704: smb.conf: Add max ldap request sizes
Add two new smb.conf parameters to control the maximum permitted ldap
request size.
Adds:
ldap max anonymous request size default 250Kb
ldap max authenticated request size default 16Mb
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e5c4b58314e9e8dba63b3078061619ae8b5d4ad3
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Apr 14 13:32:32 2020 +1200
CVE-2020-10704: ldapserver tests: Limit search request sizes
Add tests to ensure that overly long (> 256000 bytes) LDAP search
requests are rejected.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ef35bb12674bf591385c4629c84b1a76f231755b
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Apr 8 15:30:52 2020 +1200
CVE-2020-10704: lib util asn1: Check parse tree depth
Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9d5c246f8ac0bc14706059df5c615acddef13db
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Apr 2 15:25:53 2020 +1300
CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
Add tests to check that ASN.1 ldap requests with deeply nested elements
are rejected. Previously there was no check on the on the depth of
nesting and excessive nesting could cause a stack overflow.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f931ec7b3875442d0c097c62b8e82bee4cb65584
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Apr 3 12:18:03 2020 +1300
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a611988caca66ebe2b88051b3bad148b442c72c
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Apr 17 13:28:52 2020 +0200
CVE-2020-10700: ldb: Bump version up to 2.0.10.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 980831bb97c0caca95cf1d24d475f829f3c0a1d1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 11 16:43:31 2020 +1300
CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results
ASQ is a very strange control and a BASE search can return multiple results
that are NOT the requested DN, but the DNs pointed to by it!
Thanks to Andrei Popa <andrei.popa at next-gen.ro> for finding,
reporting and working with us to diagnose this issue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 24e621b4dde15a26f4fbf1a2e2bc7ecdb77d26a4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 11 16:41:34 2020 +1300
CVE-2020-10700: ldb: Always use ldb_next_request() in ASQ module
We want to keep going down the module stack, and not start from the top again.
ASQ is above the ACL modules, but below paged_results and we do not wish to
re-trigger that work.
Thanks to Andrei Popa <andrei.popa at next-gen.ro> for finding,
reporting and working with us to diagnose this issue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit ffd2779db53995c0f759539fe2d9cf425f7464c8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 30 09:44:20 2020 +0000
CVE-2020-10700: dsdb: Add test for ASQ and ASQ in combination with paged_results
Thanks to Andrei Popa <andrei.popa at next-gen.ro> for finding,
reporting and working with us to diagnose this issue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 71bc0ab02b38288462b10a87439a6bc1d36f0087
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Mar 10 10:55:01 2020 +0100
VERSION: Bump version up to 4.11.8...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 46e19f9f40258855d84e747bcb02019262e72057)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 65 ++++-
auth/gensec/gensec_util.c | 2 +-
docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml | 18 ++
docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml | 18 ++
docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml | 18 ++
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.0.10.sigs} | 0
...ldb-util-1.1.10.sigs => pyldb-util-2.0.10.sigs} | 0
lib/ldb/modules/asq.c | 12 +-
lib/ldb/wscript | 2 +-
lib/param/loadparm.c | 7 +
lib/util/asn1.c | 37 ++-
lib/util/asn1.h | 10 +-
lib/util/tests/asn1_tests.c | 2 +-
libcli/auth/spnego_parse.c | 6 +-
libcli/cldap/cldap.c | 20 +-
libcli/ldap/ldap_message.c | 7 +-
libcli/ldap/ldap_message.h | 5 +
libcli/ldap/tests/data/10000-or.dat | Bin 0 -> 39875 bytes
libcli/ldap/tests/data/ldap-recursive.dat | Bin 0 -> 970 bytes
libcli/ldap/tests/ldap_message_test.c | 287 +++++++++++++++++++++
libcli/ldap/wscript_build | 15 ++
python/samba/tests/ldap_raw.py | 234 +++++++++++++++++
source3/lib/tldap.c | 4 +-
source3/lib/tldap_util.c | 4 +-
source3/libsmb/clispnego.c | 4 +-
source3/param/loadparm.c | 4 +
source3/torture/torture.c | 2 +-
source4/auth/gensec/gensec_krb5.c | 4 +-
source4/dsdb/samdb/ldb_modules/paged_results.c | 18 +-
source4/dsdb/tests/python/asq.py | 171 ++++++++++++
source4/ldap_server/ldap_server.c | 108 +++++++-
source4/libcli/ldap/ldap_client.c | 5 +-
source4/libcli/ldap/ldap_controls.c | 48 ++--
source4/selftest/tests.py | 8 +
35 files changed, 1078 insertions(+), 69 deletions(-)
create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.0.10.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-2.0.10.sigs} (100%)
create mode 100644 libcli/ldap/tests/data/10000-or.dat
create mode 100644 libcli/ldap/tests/data/ldap-recursive.dat
create mode 100644 libcli/ldap/tests/ldap_message_test.c
create mode 100644 python/samba/tests/ldap_raw.py
create mode 100644 source4/dsdb/tests/python/asq.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 1e3ac6be9cf..d721f86d116 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 89e730b605e..3502516273e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,64 @@
+ ==============================
+ Release Notes for Samba 4.11.8
+ April 28, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
+o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
+
+
+=======
+Details
+=======
+
+o CVE-2020-10700:
+ A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
+ use-after-free in Samba's AD DC LDAP server.
+o CVE-2020-10704:
+ A deeply nested filter in an un-authenticated LDAP search can exhaust the
+ LDAP server's stack memory causing a SIGSEGV.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.11.7
+--------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
+ ASQ and paged_results combined.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
+ Samba AD DC.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.11.7
March 10, 2020
@@ -59,8 +120,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.11.6
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 20c9c2a1fbb..e185acc0c20 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -76,7 +76,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
{
bool ret = false;
- struct asn1_data *data = asn1_init(NULL);
+ struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH);
if (!data) return false;
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644
index 00000000000..61bdcec674d
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP request received on an anonymous connection.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644
index 00000000000..c5934f73f95
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP request received on an authenticated connection.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
new file mode 100644
index 00000000000..ebeb0816c01
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max search request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP search request.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">256000</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.0.10.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.0.10.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-2.0.10.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-2.0.10.sigs
diff --git a/lib/ldb/modules/asq.c b/lib/ldb/modules/asq.c
index 7482de826f0..4eba941ae0b 100644
--- a/lib/ldb/modules/asq.c
+++ b/lib/ldb/modules/asq.c
@@ -311,12 +311,9 @@ static int asq_build_multiple_requests(struct asq_context *ac, bool *terminated)
static int asq_search_continue(struct asq_context *ac)
{
- struct ldb_context *ldb;
bool terminated = false;
int ret;
- ldb = ldb_module_get_ctx(ac->module);
-
switch (ac->step) {
case ASQ_SEARCH_BASE:
@@ -328,7 +325,7 @@ static int asq_search_continue(struct asq_context *ac)
ac->step = ASQ_SEARCH_MULTI;
- return ldb_request(ldb, ac->reqs[ac->cur_req]);
+ return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
case ASQ_SEARCH_MULTI:
@@ -339,7 +336,7 @@ static int asq_search_continue(struct asq_context *ac)
return asq_search_terminate(ac);
}
- return ldb_request(ldb, ac->reqs[ac->cur_req]);
+ return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
}
return LDB_ERR_OPERATIONS_ERROR;
@@ -347,14 +344,11 @@ static int asq_search_continue(struct asq_context *ac)
static int asq_search(struct ldb_module *module, struct ldb_request *req)
{
- struct ldb_context *ldb;
struct ldb_request *base_req;
struct ldb_control *control;
struct asq_context *ac;
int ret;
- ldb = ldb_module_get_ctx(module);
-
/* check if there's an ASQ control */
control = ldb_request_get_control(req, LDB_CONTROL_ASQ_OID);
if (control == NULL) {
@@ -385,7 +379,7 @@ static int asq_search(struct ldb_module *module, struct ldb_request *req)
ac->step = ASQ_SEARCH_BASE;
- return ldb_request(ldb, base_req);
+ return ldb_next_request(ac->module, base_req);
}
static int asq_init(struct ldb_module *module)
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index c3f2f42b8c1..43571a7593f 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '2.0.9'
+VERSION = '2.0.10'
import sys, os
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 883d4167bf4..e0c6adec9c8 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3025,6 +3025,13 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "debug encryption", "no");
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max anonymous request size", "256000");
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max authenticated request size", "16777216");
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max search request size", "256000");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 51da5424956..32d7981d28f 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -36,15 +36,19 @@ struct asn1_data {
off_t ofs;
struct nesting *nesting;
bool has_error;
+ unsigned depth;
+ unsigned max_depth;
};
/* allocate an asn1 structure */
-struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx)
+struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx, unsigned max_depth)
{
struct asn1_data *ret = talloc_zero(mem_ctx, struct asn1_data);
if (ret == NULL) {
DEBUG(0,("asn1_init failed! out of memory\n"));
+ return ret;
}
+ ret->max_depth = max_depth;
return ret;
}
@@ -480,6 +484,11 @@ bool asn1_check_BOOLEAN(struct asn1_data *data, bool v)
/* load a struct asn1_data structure with a lump of data, ready to be parsed */
bool asn1_load(struct asn1_data *data, DATA_BLOB blob)
{
+ /*
+ * Save the maximum depth
+ */
+ unsigned max_depth = data->max_depth;
+
ZERO_STRUCTP(data);
data->data = (uint8_t *)talloc_memdup(data, blob.data, blob.length);
if (!data->data) {
@@ -487,6 +496,7 @@ bool asn1_load(struct asn1_data *data, DATA_BLOB blob)
return false;
}
data->length = blob.length;
+ data->max_depth = max_depth;
return true;
}
@@ -637,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
uint8_t b;
struct nesting *nesting;
+ /*
+ * Check the depth of the parse tree and prevent it from growing
+ * too large.
+ */
+ data->depth++;
+ if (data->depth > data->max_depth) {
+ data->has_error = true;
+ return false;
+ }
+
if (!asn1_read_uint8(data, &b))
return false;
@@ -693,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data)
{
struct nesting *nesting;
+ if (data->depth > 0) {
+ data->depth--;
+ }
/* make sure we read it all */
if (asn1_tag_remaining(data) != 0) {
data->has_error = true;
@@ -1103,9 +1126,14 @@ bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
*/
void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len)
{
+ /*
+ * Save max_depth
+ */
+ unsigned max_depth = data->max_depth;
ZERO_STRUCTP(data);
data->data = buf;
data->length = len;
+ data->max_depth = max_depth;
}
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
@@ -1131,3 +1159,10 @@ int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
*packet_size = size;
return 0;
}
+
+/*
+ * Get the length of the ASN.1 data
+ */
+size_t asn1_get_length(const struct asn1_data *asn1) {
+ return asn1->length;
+}
diff --git a/lib/util/asn1.h b/lib/util/asn1.h
index ddd69863574..de92a767f14 100644
--- a/lib/util/asn1.h
+++ b/lib/util/asn1.h
@@ -45,7 +45,14 @@ typedef struct asn1_data ASN1_DATA;
#define ASN1_MAX_OIDS 20
-struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx);
+/*
+ * The maximum permitted depth for an ASN.1 parse tree, the limit is chosen
+ * to align with the value for windows. Note that this value will trigger
+ * ASAN stack overflow errors.
+ */
+#define ASN1_MAX_TREE_DEPTH 512
+
+struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx, unsigned max_depth);
void asn1_free(struct asn1_data *data);
bool asn1_has_error(const struct asn1_data *data);
void asn1_set_error(struct asn1_data *data);
@@ -99,5 +106,6 @@ bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
DATA_BLOB *pblob);
void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len);
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
+size_t asn1_get_length(const struct asn1_data *asn1);
#endif /* _ASN_1_H */
diff --git a/lib/util/tests/asn1_tests.c b/lib/util/tests/asn1_tests.c
index e4b386ad785..ab5262c4ffb 100644
--- a/lib/util/tests/asn1_tests.c
+++ b/lib/util/tests/asn1_tests.c
@@ -330,7 +330,7 @@ static bool test_asn1_Integer(struct torture_context *tctx)
DATA_BLOB blob;
int val;
- data = asn1_init(mem_ctx);
+ data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
if (!data) {
goto err;
}
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index f538b44552c..f7f19b10778 100644
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -296,7 +296,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
return ret;
}
- asn1 = asn1_init(mem_ctx);
+ asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
if (asn1 == NULL) {
return -1;
}
@@ -339,7 +339,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego)
{
- struct asn1_data *asn1 = asn1_init(mem_ctx);
+ struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
ssize_t ret = -1;
if (asn1 == NULL) {
@@ -411,7 +411,7 @@ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
DATA_BLOB *blob)
{
bool ret = false;
- struct asn1_data *asn1 = asn1_init(mem_ctx);
+ struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
if (asn1 == NULL) {
return false;
diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index daba37a21d7..25c1b40f8d9 100644
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -111,6 +111,11 @@ struct cldap_search_state {
struct tevent_req *req;
};
+/*
+ * For CLDAP we limit the maximum search request size to 4kb
+ */
+#define MAX_SEARCH_REQUEST 4096
+
static int cldap_socket_destructor(struct cldap_socket *c)
{
while (c->searches.list) {
@@ -224,12 +229,15 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
void *p;
struct cldap_search_state *search;
NTSTATUS status;
+ struct ldap_request_limits limits = {
+ .max_search_size = MAX_SEARCH_REQUEST
+ };
if (in->recv_errno != 0) {
goto error;
}
- asn1 = asn1_init(in);
+ asn1 = asn1_init(in, ASN1_MAX_TREE_DEPTH);
if (!asn1) {
goto nomem;
}
@@ -242,7 +250,7 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
}
/* this initial decode is used to find the message id */
- status = ldap_decode(asn1, NULL, in->ldap_msg);
+ status = ldap_decode(asn1, &limits, NULL, in->ldap_msg);
if (!NT_STATUS_IS_OK(status)) {
goto nterror;
}
@@ -770,6 +778,9 @@ NTSTATUS cldap_search_recv(struct tevent_req *req,
struct cldap_search_state);
struct ldap_message *ldap_msg;
NTSTATUS status;
+ struct ldap_request_limits limits = {
+ .max_search_size = MAX_SEARCH_REQUEST
+ };
if (tevent_req_is_nterror(req, &status)) {
goto failed;
@@ -780,7 +791,7 @@ NTSTATUS cldap_search_recv(struct tevent_req *req,
goto nomem;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list