diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-08 10:46:44 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-22 12:50:42 +0200 |
commit | 71b92c9554d2e92281c6ce7f0340def2e6c0623c (patch) | |
tree | a7c4fe334a93c34b4a59d0ff4febba7e27f54677 /libcli | |
parent | db78f2667eb51c106c66edebcf66914ea580bfc6 (diff) | |
download | samba-71b92c9554d2e92281c6ce7f0340def2e6c0623c.tar.gz |
CVE-2020-10704 libcli ldap: Check search request lengths.
Check the search request lengths against the limits passed to
ldap_decode.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/ldap/ldap_message.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libcli/ldap/ldap_message.c b/libcli/ldap/ldap_message.c index d38fa0b3b61..69a48279532 100644 --- a/libcli/ldap/ldap_message.c +++ b/libcli/ldap/ldap_message.c @@ -1259,7 +1259,11 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data, struct ldap_SearchRequest *r = &msg->r.SearchRequest; int sizelimit, timelimit; const char **attrs = NULL; + size_t request_size = asn1_get_length(data); msg->type = LDAP_TAG_SearchRequest; + if (request_size > limits->max_search_size) { + goto prot_err; + } if (!asn1_start_tag(data, tag)) goto prot_err; if (!asn1_read_OctetString_talloc(msg, data, &r->basedn)) goto prot_err; if (!asn1_read_enumerated(data, (int *)(void *)&(r->scope))) goto prot_err; |