[SCM] Samba Shared Repository - branch v4-10-test updated

Karolin Seeger kseeger at samba.org
Tue Apr 28 11:52:44 UTC 2020


The branch, v4-10-test has been updated
       via  5998d32ab73 VERSION: Bump version up to 4.10.16.
       via  e1addc5cdd8 Merge tag 'samba-4.10.15' into v4-10-test
       via  b98108ff760 VERSION: Disable GIT_SNAPSHOT for the 4.10.15 release.
       via  b78b4ef0874 WHATSNEW: Add release notes for Samba 4.10.15.
       via  ea944665e6f CVE-2020-10704 libcli ldap: Check search request lengths.
       via  139f49ac0c8 CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
       via  2714fb173f9 CVE-2020-10704: S4 ldap server: Limit request sizes
       via  4ec90ccda8d CVE-2020-10704: smb.conf: Add max ldap request sizes
       via  fdc00bf95f5 CVE-2020-10704: ldapserver tests: Python 2 comaptibility
       via  d8ec11ea9f3 CVE-2020-10704: ldapserver tests: Limit search request sizes
       via  8e7b910f687 CVE-2020-10704: lib util asn1: Check parse tree depth
       via  ab4ff93b05b CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
       via  2aa1d7a8e42 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
       via  100821b43c4 CVE-2020-10700: ldb: Bump version up to 1.5.7.
       via  865ca0dbe5e CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results
       via  350361c779b CVE-2020-10700: ldb: Always use ldb_next_request() in ASQ module
       via  afbbd3faebb CVE-2020-10700: dsdb: Add test for ASQ and ASQ in combination with paged_results
       via  0f64711aae9 VERSION: Bump verison up to 4.10.15...
      from  53ea67687d3 VERSION: Bump verison up to 4.10.15...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test


- Log -----------------------------------------------------------------
commit 5998d32ab73661480438413857071b89c2d1c2f0
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Apr 28 13:52:11 2020 +0200

    VERSION: Bump version up to 4.10.16.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit e1addc5cdd87e463162c5fbe06852f841f2a192f
Merge: 53ea67687d3 b98108ff760
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Apr 28 13:51:48 2020 +0200

    Merge tag 'samba-4.10.15' into v4-10-test
    
    samba: tag release samba-4.10.15

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       |  65 ++++-
 auth/gensec/gensec_util.c                          |   2 +-
 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml    |  18 ++
 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml    |  18 ++
 docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml  |  18 ++
 lib/ldb/ABI/{ldb-1.5.6.sigs => ldb-1.5.7.sigs}     |   0
 ...yldb-util-1.1.10.sigs => pyldb-util-1.5.7.sigs} |   0
 ...-util-1.1.10.sigs => pyldb-util.py3-1.5.7.sigs} |   0
 lib/ldb/modules/asq.c                              |  12 +-
 lib/ldb/wscript                                    |   2 +-
 lib/param/loadparm.c                               |   7 +
 lib/util/asn1.c                                    |  37 ++-
 lib/util/asn1.h                                    |  10 +-
 lib/util/tests/asn1_tests.c                        |   2 +-
 libcli/auth/spnego_parse.c                         |   6 +-
 libcli/cldap/cldap.c                               |  20 +-
 libcli/ldap/ldap_message.c                         |   7 +-
 libcli/ldap/ldap_message.h                         |   5 +
 libcli/ldap/tests/data/10000-or.dat                | Bin 0 -> 39875 bytes
 libcli/ldap/tests/data/ldap-recursive.dat          | Bin 0 -> 970 bytes
 libcli/ldap/tests/ldap_message_test.c              | 287 +++++++++++++++++++++
 libcli/ldap/wscript_build                          |  15 ++
 python/samba/tests/ldap_raw.py                     | 249 ++++++++++++++++++
 source3/lib/tldap.c                                |   4 +-
 source3/lib/tldap_util.c                           |   4 +-
 source3/libsmb/clispnego.c                         |   4 +-
 source3/param/loadparm.c                           |   4 +
 source4/auth/gensec/gensec_krb5.c                  |   4 +-
 source4/dsdb/samdb/ldb_modules/paged_results.c     |  18 +-
 source4/dsdb/tests/python/asq.py                   | 171 ++++++++++++
 source4/ldap_server/ldap_server.c                  | 108 +++++++-
 source4/libcli/ldap/ldap_client.c                  |   5 +-
 source4/libcli/ldap/ldap_controls.c                |  48 ++--
 source4/selftest/tests.py                          |   9 +
 35 files changed, 1093 insertions(+), 68 deletions(-)
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
 copy lib/ldb/ABI/{ldb-1.5.6.sigs => ldb-1.5.7.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.5.7.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.5.7.sigs} (100%)
 create mode 100644 libcli/ldap/tests/data/10000-or.dat
 create mode 100644 libcli/ldap/tests/data/ldap-recursive.dat
 create mode 100644 libcli/ldap/tests/ldap_message_test.c
 create mode 100644 python/samba/tests/ldap_raw.py
 create mode 100644 source4/dsdb/tests/python/asq.py


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 7aa5cf2229d..29647ecdf8a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=10
-SAMBA_VERSION_RELEASE=15
+SAMBA_VERSION_RELEASE=16
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9cdd30b5755..2d2c7ff2043 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,64 @@
+                   ===============================
+                   Release Notes for Samba 4.10.15
+                           April 28, 2020
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ 
+o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
+
+
+=======
+Details
+=======
+
+o  CVE-2020-10700:
+   A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
+   use-after-free in Samba's AD DC LDAP server.
+o  CVE-2020-10704:
+   A deeply nested filter in an un-authenticated LDAP search can exhaust the
+   LDAP server's stack memory causing a SIGSEGV.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.10.14
+---------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
+     ASQ and paged_results combined.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
+     Samba AD DC.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ===============================
                    Release Notes for Samba 4.10.14
                            March 26, 2020
@@ -63,8 +124,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ===============================
                    Release Notes for Samba 4.10.13
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 20c9c2a1fbb..e185acc0c20 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -76,7 +76,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
 {
 	bool ret = false;
-	struct asn1_data *data = asn1_init(NULL);
+	struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH);
 
 	if (!data) return false;
 
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644
index 00000000000..61bdcec674d
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP request received on an anonymous connection.
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644
index 00000000000..c5934f73f95
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP request received on an authenticated connection.
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
new file mode 100644
index 00000000000..ebeb0816c01
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max search request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP search request. 
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">256000</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/lib/ldb/ABI/ldb-1.5.6.sigs b/lib/ldb/ABI/ldb-1.5.7.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.5.6.sigs
copy to lib/ldb/ABI/ldb-1.5.7.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.5.7.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.5.7.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.5.7.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.5.7.sigs
diff --git a/lib/ldb/modules/asq.c b/lib/ldb/modules/asq.c
index 7482de826f0..4eba941ae0b 100644
--- a/lib/ldb/modules/asq.c
+++ b/lib/ldb/modules/asq.c
@@ -311,12 +311,9 @@ static int asq_build_multiple_requests(struct asq_context *ac, bool *terminated)
 
 static int asq_search_continue(struct asq_context *ac)
 {
-	struct ldb_context *ldb;
 	bool terminated = false;
 	int ret;
 
-	ldb = ldb_module_get_ctx(ac->module);
-
 	switch (ac->step) {
 	case ASQ_SEARCH_BASE:
 
@@ -328,7 +325,7 @@ static int asq_search_continue(struct asq_context *ac)
 
 		ac->step = ASQ_SEARCH_MULTI;
 
-		return ldb_request(ldb, ac->reqs[ac->cur_req]);
+		return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
 
 	case ASQ_SEARCH_MULTI:
 
@@ -339,7 +336,7 @@ static int asq_search_continue(struct asq_context *ac)
 			return asq_search_terminate(ac);
 		}
 
-		return ldb_request(ldb, ac->reqs[ac->cur_req]);
+		return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
 	}
 
 	return LDB_ERR_OPERATIONS_ERROR;
@@ -347,14 +344,11 @@ static int asq_search_continue(struct asq_context *ac)
 
 static int asq_search(struct ldb_module *module, struct ldb_request *req)
 {
-	struct ldb_context *ldb;
 	struct ldb_request *base_req;
 	struct ldb_control *control;
 	struct asq_context *ac;
 	int ret;
 
-	ldb = ldb_module_get_ctx(module);
-
 	/* check if there's an ASQ control */
 	control = ldb_request_get_control(req, LDB_CONTROL_ASQ_OID);
 	if (control == NULL) {
@@ -385,7 +379,7 @@ static int asq_search(struct ldb_module *module, struct ldb_request *req)
 
 	ac->step = ASQ_SEARCH_BASE;
 
-	return ldb_request(ldb, base_req);
+	return ldb_next_request(ac->module, base_req);
 }
 
 static int asq_init(struct ldb_module *module)
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 92975b9116d..0f760a9bc80 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 APPNAME = 'ldb'
-VERSION = '1.5.6'
+VERSION = '1.5.7'
 
 import sys, os
 
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e4d27cae8ea..4c3dfff24f3 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3008,6 +3008,13 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "store dos attributes", "yes");
 
+	lpcfg_do_global_parameter(
+		lp_ctx, "ldap max anonymous request size", "256000");
+	lpcfg_do_global_parameter(
+		lp_ctx, "ldap max authenticated request size", "16777216");
+	lpcfg_do_global_parameter(
+		lp_ctx, "ldap max search request size", "256000");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 60ddfa09bcf..03d417d8104 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -36,15 +36,19 @@ struct asn1_data {
 	off_t ofs;
 	struct nesting *nesting;
 	bool has_error;
+	unsigned depth;
+	unsigned max_depth;
 };
 
 /* allocate an asn1 structure */
-struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx)
+struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx, unsigned max_depth)
 {
 	struct asn1_data *ret = talloc_zero(mem_ctx, struct asn1_data);
 	if (ret == NULL) {
 		DEBUG(0,("asn1_init failed! out of memory\n"));
+		return ret;
 	}
+	ret->max_depth = max_depth;
 	return ret;
 }
 
@@ -473,6 +477,11 @@ bool asn1_check_BOOLEAN(struct asn1_data *data, bool v)
 /* load a struct asn1_data structure with a lump of data, ready to be parsed */
 bool asn1_load(struct asn1_data *data, DATA_BLOB blob)
 {
+	/*
+	 * Save the maximum depth
+	 */
+	unsigned max_depth = data->max_depth;
+
 	ZERO_STRUCTP(data);
 	data->data = (uint8_t *)talloc_memdup(data, blob.data, blob.length);
 	if (!data->data) {
@@ -480,6 +489,7 @@ bool asn1_load(struct asn1_data *data, DATA_BLOB blob)
 		return false;
 	}
 	data->length = blob.length;
+	data->max_depth = max_depth;
 	return true;
 }
 
@@ -630,6 +640,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
 	uint8_t b;
 	struct nesting *nesting;
 
+	/*
+	 * Check the depth of the parse tree and prevent it from growing
+	 * too large.
+	 */
+	data->depth++;
+	if (data->depth > data->max_depth) {
+		data->has_error = true;
+		return false;
+	}
+
 	if (!asn1_read_uint8(data, &b))
 		return false;
 
@@ -686,6 +706,9 @@ bool asn1_end_tag(struct asn1_data *data)
 {
 	struct nesting *nesting;
 
+	if (data->depth > 0) {
+		data->depth--;
+	}
 	/* make sure we read it all */
 	if (asn1_tag_remaining(data) != 0) {
 		data->has_error = true;
@@ -1096,9 +1119,14 @@ bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
 */
 void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len)
 {
+	/*
+	 * Save max_depth
+	 */
+	unsigned max_depth = data->max_depth;
 	ZERO_STRUCTP(data);
 	data->data = buf;
 	data->length = len;
+	data->max_depth = max_depth;
 }
 
 int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
@@ -1124,3 +1152,10 @@ int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size)
 	*packet_size = size;
 	return 0;
 }
+
+/*
+ * Get the length of the ASN.1 data
+ */
+size_t asn1_get_length(const struct asn1_data *asn1) {
+	return asn1->length;
+}
diff --git a/lib/util/asn1.h b/lib/util/asn1.h
index ddd69863574..de92a767f14 100644
--- a/lib/util/asn1.h
+++ b/lib/util/asn1.h
@@ -45,7 +45,14 @@ typedef struct asn1_data ASN1_DATA;
 
 #define ASN1_MAX_OIDS 20
 
-struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx);
+/*
+ * The maximum permitted depth for an ASN.1 parse tree, the limit is chosen
+ * to align with the value for windows. Note that this value will trigger
+ * ASAN stack overflow errors.
+ */
+#define ASN1_MAX_TREE_DEPTH 512
+
+struct asn1_data *asn1_init(TALLOC_CTX *mem_ctx, unsigned max_depth);
 void asn1_free(struct asn1_data *data);
 bool asn1_has_error(const struct asn1_data *data);
 void asn1_set_error(struct asn1_data *data);
@@ -99,5 +106,6 @@ bool asn1_extract_blob(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
 		       DATA_BLOB *pblob);
 void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len);
 int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
+size_t asn1_get_length(const struct asn1_data *asn1);
 
 #endif /* _ASN_1_H */
diff --git a/lib/util/tests/asn1_tests.c b/lib/util/tests/asn1_tests.c
index e4b386ad785..ab5262c4ffb 100644
--- a/lib/util/tests/asn1_tests.c
+++ b/lib/util/tests/asn1_tests.c
@@ -330,7 +330,7 @@ static bool test_asn1_Integer(struct torture_context *tctx)
 		DATA_BLOB blob;
 		int val;
 
-		data = asn1_init(mem_ctx);
+		data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
 		if (!data) {
 			goto err;
 		}
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index f538b44552c..f7f19b10778 100644
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -296,7 +296,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
 		return ret;
 	}
 
-	asn1 = asn1_init(mem_ctx);
+	asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
 	if (asn1 == NULL) {
 		return -1;
 	}
@@ -339,7 +339,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
 
 ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego)
 {
-	struct asn1_data *asn1 = asn1_init(mem_ctx);
+	struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
 	ssize_t ret = -1;
 
 	if (asn1 == NULL) {
@@ -411,7 +411,7 @@ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
 			     DATA_BLOB *blob)
 {
 	bool ret = false;
-	struct asn1_data *asn1 = asn1_init(mem_ctx);
+	struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
 
 	if (asn1 == NULL) {
 		return false;
diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index daba37a21d7..25c1b40f8d9 100644
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -111,6 +111,11 @@ struct cldap_search_state {
 	struct tevent_req *req;
 };
 
+/*
+ * For CLDAP we limit the maximum search request size to 4kb
+ */
+#define MAX_SEARCH_REQUEST 4096
+
 static int cldap_socket_destructor(struct cldap_socket *c)
 {
 	while (c->searches.list) {
@@ -224,12 +229,15 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
 	void *p;
 	struct cldap_search_state *search;
 	NTSTATUS status;
+	struct ldap_request_limits limits = {
+		.max_search_size = MAX_SEARCH_REQUEST
+	};
 
 	if (in->recv_errno != 0) {
 		goto error;
 	}
 
-	asn1 = asn1_init(in);
+	asn1 = asn1_init(in, ASN1_MAX_TREE_DEPTH);
 	if (!asn1) {
 		goto nomem;
 	}
@@ -242,7 +250,7 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c,
 	}
 
 	/* this initial decode is used to find the message id */
-	status = ldap_decode(asn1, NULL, in->ldap_msg);
+	status = ldap_decode(asn1, &limits, NULL, in->ldap_msg);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto nterror;
 	}
@@ -770,6 +778,9 @@ NTSTATUS cldap_search_recv(struct tevent_req *req,
 					   struct cldap_search_state);
 	struct ldap_message *ldap_msg;
 	NTSTATUS status;
+	struct ldap_request_limits limits = {
+		.max_search_size = MAX_SEARCH_REQUEST
+	};
 
 	if (tevent_req_is_nterror(req, &status)) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list