diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-08 08:49:23 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-22 12:50:42 +0200 |
commit | db78f2667eb51c106c66edebcf66914ea580bfc6 (patch) | |
tree | 7a3fd1e016a79e22e0aca35c9a4ff9d316987860 /lib | |
parent | 8729c05b1cd6a63d9f8e163b2e438007db3eb4f8 (diff) | |
download | samba-db78f2667eb51c106c66edebcf66914ea580bfc6.tar.gz |
CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls.
The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/fuzzing/fuzz_ldap_decode.c | 9 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 |
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/fuzzing/fuzz_ldap_decode.c b/lib/fuzzing/fuzz_ldap_decode.c index d89ba637061..e3bcf7b9d0a 100644 --- a/lib/fuzzing/fuzz_ldap_decode.c +++ b/lib/fuzzing/fuzz_ldap_decode.c @@ -32,6 +32,12 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) TALLOC_CTX *mem_ctx = talloc_init(__FUNCTION__); struct asn1_data *asn1; struct ldap_message *ldap_msg; + struct ldap_request_limits limits = { + /* + * The default size is currently 256000 bytes + */ + .max_search_size = 256000 + }; NTSTATUS status; /* @@ -50,7 +56,8 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) goto out; } - status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg); + status = ldap_decode( + asn1, &limits, samba_ldap_control_handlers(), ldap_msg); out: talloc_free(mem_ctx); diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 2eed5aa082d..63291283905 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3045,6 +3045,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lp_ctx, "ldap max anonymous request size", "256000"); lpcfg_do_global_parameter( lp_ctx, "ldap max authenticated request size", "16777216"); + lpcfg_do_global_parameter( + lp_ctx, "ldap max search request size", "256000"); for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { |