CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search

This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
would otherwise fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

2 files changed, 42 insertions, 1 deletions

diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c
index 3ea8d5e2ed4..d4f896736a2 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.c
+++ b/lib/ldb/ldb_key_value/ldb_kv.c
@@ -440,6 +440,16 @@ static int ldb_kv_add_internal(struct ldb_module *module,
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret = LDB_SUCCESS;
 	unsigned int i;
+	bool valid_dn = false;
+
+	/* Check the new DN is reasonable */
+	valid_dn = ldb_dn_validate(msg->dn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid DN in ADD: %s",
+				       ldb_dn_get_linearized(msg->dn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
 
 	for (i=0;i<msg->num_elements;i++) {
 		struct ldb_message_element *el = &msg->elements[i];
@@ -1229,6 +1239,7 @@ static int ldb_kv_rename(struct ldb_kv_context *ctx)
 	int ret = LDB_SUCCESS;
 	struct ldb_val  key, key_old;
 	struct ldb_dn *db_dn;
+	bool valid_dn = false;
 
 	ldb_request_set_state(req, LDB_ASYNC_PENDING);
 
@@ -1241,12 +1252,26 @@ static int ldb_kv_rename(struct ldb_kv_context *ctx)
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	/* Check the new DN is reasonable */
+	valid_dn = ldb_dn_validate(req->op.rename.newdn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid New DN: %s",
+				       ldb_dn_get_linearized(req->op.rename.newdn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
 	/* we need to fetch the old record to re-add under the new name */
 	ret = ldb_kv_search_dn1(module,
 				req->op.rename.olddn,
 				msg,
 				LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC);
-	if (ret != LDB_SUCCESS) {
+	if (ret == LDB_ERR_INVALID_DN_SYNTAX) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid Old DN: %s",
+				       ldb_dn_get_linearized(req->op.rename.newdn));
+		return ret;
+	} else if (ret != LDB_SUCCESS) {
 		/* not finding the old record is an error */
 		return ret;
 	}
diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c
index cd7ff529607..e9964c2bd63 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_search.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c
@@ -294,6 +294,14 @@ int ldb_kv_search_dn1(struct ldb_module *module,
 	};
 	TALLOC_CTX *tdb_key_ctx = NULL;
 
+	bool valid_dn = ldb_dn_validate(dn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid Base DN: %s",
+				       ldb_dn_get_linearized(dn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
 	if (ldb_kv->cache->GUID_index_attribute == NULL ||
 	    ldb_dn_is_special(dn)) {
 
@@ -789,6 +797,14 @@ int ldb_kv_search(struct ldb_kv_context *ctx)
 					       ldb_dn_get_linearized(req->op.search.base));
 		}
 
+	} else if (ldb_dn_validate(req->op.search.base) == false) {
+
+		/* We don't want invalid base DNs here */
+		ldb_asprintf_errstring(ldb,
+				       "Invalid Base DN: %s",
+				       ldb_dn_get_linearized(req->op.search.base));
+		ret = LDB_ERR_INVALID_DN_SYNTAX;
+
 	} else {
 		/* If we are not checking the base DN life is easy */
 		ret = LDB_SUCCESS;