CVE-2020-10704 libcli ldap: Check search request lengths.

Check the search request lengths against the limits passed to ldap_decode. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Gary Lockyer <gary@samba.org> Autobuild-Date(master): Mon May 4 04:40:10 UTC 2020 on sn-devel-184
author: Gary Lockyer <gary@catalyst.net.nz> 2020-04-08 10:46:44 +1200
committer: Gary Lockyer <gary@samba.org> 2020-05-04 04:40:10 +0000
commit: bac809348a7313a5a5a53866848e7b6b56665f43 (patch)
tree: 88a6fa2175e724c51b23b915d40e7398fc18b296 /libcli
parent: 3149ea0a8aada3b03d1ca0af2e3a0f6304cda43b (diff)
download: samba-bac809348a7313a5a5a53866848e7b6b56665f43.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libcli/ldap/ldap_message.c b/libcli/ldap/ldap_message.c
index d38fa0b3b61..69a48279532 100644
--- a/libcli/ldap/ldap_message.c
+++ b/libcli/ldap/ldap_message.c
@@ -1259,7 +1259,11 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data,
 		struct ldap_SearchRequest *r = &msg->r.SearchRequest;
 		int sizelimit, timelimit;
 		const char **attrs = NULL;
+		size_t request_size = asn1_get_length(data);
 		msg->type = LDAP_TAG_SearchRequest;
+		if (request_size > limits->max_search_size) {
+			goto prot_err;
+		}
 		if (!asn1_start_tag(data, tag)) goto prot_err;
 		if (!asn1_read_OctetString_talloc(msg, data, &r->basedn)) goto prot_err;
 		if (!asn1_read_enumerated(data, (int *)(void *)&(r->scope))) goto prot_err;
author	Gary Lockyer <gary@catalyst.net.nz>	2020-04-08 10:46:44 +1200
committer	Gary Lockyer <gary@samba.org>	2020-05-04 04:40:10 +0000
commit	bac809348a7313a5a5a53866848e7b6b56665f43 (patch)
tree	88a6fa2175e724c51b23b915d40e7398fc18b296 /libcli
parent	3149ea0a8aada3b03d1ca0af2e3a0f6304cda43b (diff)
download	samba-bac809348a7313a5a5a53866848e7b6b56665f43.tar.gz