diff options
| author | Garming Sam <garming@catalyst.net.nz> | 2018-11-05 16:18:18 +1300 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-11-26 09:38:10 +0100 |
| commit | ac0b38fb285fad3165560a26afeeeaf23d850c1c (patch) | |
| tree | cbc12b28c8b7cf4450c0b2f1c1b6ae57996c0994 | |
| parent | b49c87f8d64677390e5c4c6698b95beb74468653 (diff) | |
| download | samba-ac0b38fb285fad3165560a26afeeeaf23d850c1c.tar.gz | |
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index d9f24e0817c..e5e9688ed98 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -669,13 +669,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call) ret = data_blob_append(call, &blob, b.data, b.length); data_blob_free(&b); - talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); - if (!ret) { ldapsrv_terminate_connection(conn, "data_blob_append failed"); return; } + talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); + DLIST_REMOVE(call->replies, call->replies); } |