diff options
author | Andrew Bartlett <abartlet@samba.org> | 2020-03-11 16:43:31 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-21 13:20:31 +0200 |
commit | 980831bb97c0caca95cf1d24d475f829f3c0a1d1 (patch) | |
tree | 302712b441dfbd3cf8db07388de18cab9211a26a | |
parent | 24e621b4dde15a26f4fbf1a2e2bc7ecdb77d26a4 (diff) | |
download | samba-980831bb97c0caca95cf1d24d475f829f3c0a1d1.tar.gz |
CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results
ASQ is a very strange control and a BASE search can return multiple results
that are NOT the requested DN, but the DNs pointed to by it!
Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
-rw-r--r-- | selftest/knownfail.d/asq | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/paged_results.c | 18 |
2 files changed, 13 insertions, 6 deletions
diff --git a/selftest/knownfail.d/asq b/selftest/knownfail.d/asq deleted file mode 100644 index eb0e3e0aba1..00000000000 --- a/selftest/knownfail.d/asq +++ /dev/null @@ -1 +0,0 @@ -samba4.asq.python\(ad_dc_default\).__main__.ASQLDAPTest.test_asq_paged
\ No newline at end of file diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c index 940d2254fb0..dc211dd18ce 100644 --- a/source4/dsdb/samdb/ldb_modules/paged_results.c +++ b/source4/dsdb/samdb/ldb_modules/paged_results.c @@ -483,8 +483,14 @@ paged_results_copy_down_controls(TALLOC_CTX *mem_ctx, if (control->oid == NULL) { continue; } - if (strncmp(control->oid, LDB_CONTROL_PAGED_RESULTS_OID, - sizeof(LDB_CONTROL_PAGED_RESULTS_OID)) == 0) { + if (strcmp(control->oid, LDB_CONTROL_PAGED_RESULTS_OID) == 0) { + continue; + } + /* + * ASQ changes everything, do not copy it down for the + * per-GUID search + */ + if (strcmp(control->oid, LDB_CONTROL_ASQ_OID) == 0) { continue; } new_controls[j] = talloc_steal(new_controls, control); @@ -534,21 +540,23 @@ static bool paged_controls_same(struct ldb_request *req, num_non_null_req_controls = 0; for (i=0; req->controls[i] != NULL; i++) { - if (req->controls[i]->oid != NULL) { + if (req->controls[i]->oid != NULL && + strcmp(req->controls[i]->oid, + LDB_CONTROL_ASQ_OID) != 0) { num_non_null_req_controls++; } } /* At this point we have the number of non-null entries for both * control lists and we know that: - * 1. down_controls does not contain the paged control + * 1. down_controls does not contain the paged control or ASQ * (because paged_results_copy_down_controls excludes it) * 2. req->controls does contain the paged control * (because this function is only called if this is true) * 3. down_controls is a subset of non-null controls in req->controls * (checked above) * So to confirm that the two lists are identical except for the paged - * control, all we need to check is: */ + * control and possibly ASQ, all we need to check is: */ if (num_non_null_req_controls == num_down_controls + 1) { return true; } |