summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGary Lockyer <gary@catalyst.net.nz>2020-04-08 08:49:23 +1200
committerKarolin Seeger <kseeger@samba.org>2020-04-22 12:50:42 +0200
commitdb78f2667eb51c106c66edebcf66914ea580bfc6 (patch)
tree7a3fd1e016a79e22e0aca35c9a4ff9d316987860 /lib
parent8729c05b1cd6a63d9f8e163b2e438007db3eb4f8 (diff)
downloadsamba-db78f2667eb51c106c66edebcf66914ea580bfc6.tar.gz
CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls. The ldap server uses the smb.conf variable "ldap max search request size" which defaults to 250Kb. For cldap the limit is hard coded as 4096. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/fuzzing/fuzz_ldap_decode.c9
-rw-r--r--lib/param/loadparm.c2
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/fuzzing/fuzz_ldap_decode.c b/lib/fuzzing/fuzz_ldap_decode.c
index d89ba637061..e3bcf7b9d0a 100644
--- a/lib/fuzzing/fuzz_ldap_decode.c
+++ b/lib/fuzzing/fuzz_ldap_decode.c
@@ -32,6 +32,12 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
TALLOC_CTX *mem_ctx = talloc_init(__FUNCTION__);
struct asn1_data *asn1;
struct ldap_message *ldap_msg;
+ struct ldap_request_limits limits = {
+ /*
+ * The default size is currently 256000 bytes
+ */
+ .max_search_size = 256000
+ };
NTSTATUS status;
/*
@@ -50,7 +56,8 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
goto out;
}
- status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg);
+ status = ldap_decode(
+ asn1, &limits, samba_ldap_control_handlers(), ldap_msg);
out:
talloc_free(mem_ctx);
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 2eed5aa082d..63291283905 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3045,6 +3045,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lp_ctx, "ldap max anonymous request size", "256000");
lpcfg_do_global_parameter(
lp_ctx, "ldap max authenticated request size", "16777216");
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max search request size", "256000");
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {