diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-03 12:18:03 +1300 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-04-22 12:50:42 +0200 |
| commit | 109b128ec1db7ffc90c43c075d86b1c3de344cba (patch) | |
| tree | b4a9ea56b0ebb387d6b497e6f8756be4ac21e9a3 /libcli | |
| parent | fecb05c8980100e32ab5812cc97d15edd5b83b50 (diff) | |
| download | samba-109b128ec1db7ffc90c43c075d86b1c3de344cba.tar.gz | |
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli')
| -rw-r--r-- | libcli/auth/spnego_parse.c | 6 | ||||
| -rw-r--r-- | libcli/cldap/cldap.c | 2 | ||||
| -rw-r--r-- | libcli/ldap/ldap_message.c | 2 |
3 files changed, 5 insertions, 5 deletions
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c index f538b44552c..f7f19b10778 100644 --- a/libcli/auth/spnego_parse.c +++ b/libcli/auth/spnego_parse.c @@ -296,7 +296,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data return ret; } - asn1 = asn1_init(mem_ctx); + asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (asn1 == NULL) { return -1; } @@ -339,7 +339,7 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego) { - struct asn1_data *asn1 = asn1_init(mem_ctx); + struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); ssize_t ret = -1; if (asn1 == NULL) { @@ -411,7 +411,7 @@ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) { bool ret = false; - struct asn1_data *asn1 = asn1_init(mem_ctx); + struct asn1_data *asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (asn1 == NULL) { return false; diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c index f609bf278e4..3f687728517 100644 --- a/libcli/cldap/cldap.c +++ b/libcli/cldap/cldap.c @@ -233,7 +233,7 @@ static bool cldap_socket_recv_dgram(struct cldap_socket *c, goto error; } - asn1 = asn1_init(in); + asn1 = asn1_init(in, ASN1_MAX_TREE_DEPTH); if (!asn1) { goto nomem; } diff --git a/libcli/ldap/ldap_message.c b/libcli/ldap/ldap_message.c index f21598374a1..ba82bddeab1 100644 --- a/libcli/ldap/ldap_message.c +++ b/libcli/ldap/ldap_message.c @@ -390,7 +390,7 @@ _PUBLIC_ bool ldap_encode(struct ldap_message *msg, const struct ldap_control_handler *control_handlers, DATA_BLOB *result, TALLOC_CTX *mem_ctx) { - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); int i, j; if (!data) return false; |