diff options
author | Andrew Bartlett <abartlet@samba.org> | 2018-05-21 15:23:53 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-08-14 13:57:15 +0200 |
commit | 3c1fbb18321f61df44d7b0f0c7452ae230960293 (patch) | |
tree | 11b611dc1cc592299773839dcf9cf6951054fc18 /lib/ldb | |
parent | b27d973341144a03db8dc824bfb3e5c65868fe7e (diff) | |
download | samba-3c1fbb18321f61df44d7b0f0c7452ae230960293.tar.gz |
CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
would otherwise fail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
Diffstat (limited to 'lib/ldb')
-rw-r--r-- | lib/ldb/ldb_key_value/ldb_kv.c | 27 | ||||
-rw-r--r-- | lib/ldb/ldb_key_value/ldb_kv_search.c | 16 |
2 files changed, 42 insertions, 1 deletions
diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c index 3ea8d5e2ed4..d4f896736a2 100644 --- a/lib/ldb/ldb_key_value/ldb_kv.c +++ b/lib/ldb/ldb_key_value/ldb_kv.c @@ -440,6 +440,16 @@ static int ldb_kv_add_internal(struct ldb_module *module, struct ldb_context *ldb = ldb_module_get_ctx(module); int ret = LDB_SUCCESS; unsigned int i; + bool valid_dn = false; + + /* Check the new DN is reasonable */ + valid_dn = ldb_dn_validate(msg->dn); + if (valid_dn == false) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), + "Invalid DN in ADD: %s", + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_INVALID_DN_SYNTAX; + } for (i=0;i<msg->num_elements;i++) { struct ldb_message_element *el = &msg->elements[i]; @@ -1229,6 +1239,7 @@ static int ldb_kv_rename(struct ldb_kv_context *ctx) int ret = LDB_SUCCESS; struct ldb_val key, key_old; struct ldb_dn *db_dn; + bool valid_dn = false; ldb_request_set_state(req, LDB_ASYNC_PENDING); @@ -1241,12 +1252,26 @@ static int ldb_kv_rename(struct ldb_kv_context *ctx) return LDB_ERR_OPERATIONS_ERROR; } + /* Check the new DN is reasonable */ + valid_dn = ldb_dn_validate(req->op.rename.newdn); + if (valid_dn == false) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), + "Invalid New DN: %s", + ldb_dn_get_linearized(req->op.rename.newdn)); + return LDB_ERR_INVALID_DN_SYNTAX; + } + /* we need to fetch the old record to re-add under the new name */ ret = ldb_kv_search_dn1(module, req->op.rename.olddn, msg, LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC); - if (ret != LDB_SUCCESS) { + if (ret == LDB_ERR_INVALID_DN_SYNTAX) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), + "Invalid Old DN: %s", + ldb_dn_get_linearized(req->op.rename.newdn)); + return ret; + } else if (ret != LDB_SUCCESS) { /* not finding the old record is an error */ return ret; } diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c index cd7ff529607..e9964c2bd63 100644 --- a/lib/ldb/ldb_key_value/ldb_kv_search.c +++ b/lib/ldb/ldb_key_value/ldb_kv_search.c @@ -294,6 +294,14 @@ int ldb_kv_search_dn1(struct ldb_module *module, }; TALLOC_CTX *tdb_key_ctx = NULL; + bool valid_dn = ldb_dn_validate(dn); + if (valid_dn == false) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), + "Invalid Base DN: %s", + ldb_dn_get_linearized(dn)); + return LDB_ERR_INVALID_DN_SYNTAX; + } + if (ldb_kv->cache->GUID_index_attribute == NULL || ldb_dn_is_special(dn)) { @@ -789,6 +797,14 @@ int ldb_kv_search(struct ldb_kv_context *ctx) ldb_dn_get_linearized(req->op.search.base)); } + } else if (ldb_dn_validate(req->op.search.base) == false) { + + /* We don't want invalid base DNs here */ + ldb_asprintf_errstring(ldb, + "Invalid Base DN: %s", + ldb_dn_get_linearized(req->op.search.base)); + ret = LDB_ERR_INVALID_DN_SYNTAX; + } else { /* If we are not checking the base DN life is easy */ ret = LDB_SUCCESS; |