diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-03 12:18:03 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-21 10:21:09 +0200 |
commit | 2aa1d7a8e42b8cdd7f7c26c3fe7b73fdcb94b31b (patch) | |
tree | f10a729238b1082e725de2c471c747eb569a805e /source3 | |
parent | 100821b43c4b1450832e1143952377becdf0e4d8 (diff) | |
download | samba-2aa1d7a8e42b8cdd7f7c26c3fe7b73fdcb94b31b.tar.gz |
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/lib/tldap.c | 4 | ||||
-rw-r--r-- | source3/lib/tldap_util.c | 4 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 4 |
3 files changed, 6 insertions, 6 deletions
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c index d6c6e8859a6..bf5fc05d785 100644 --- a/source3/lib/tldap.c +++ b/source3/lib/tldap.c @@ -632,7 +632,7 @@ static void tldap_msg_received(struct tevent_req *subreq) goto fail; } - data = asn1_init(talloc_tos()); + data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); if (data == NULL) { status = TLDAP_NO_MEMORY; goto fail; @@ -763,7 +763,7 @@ static struct tevent_req *tldap_req_create(TALLOC_CTX *mem_ctx, if (req == NULL) { return NULL; } - state->out = asn1_init(state); + state->out = asn1_init(state, ASN1_MAX_TREE_DEPTH); if (state->out == NULL) { goto err; } diff --git a/source3/lib/tldap_util.c b/source3/lib/tldap_util.c index 54a9eb30bbe..9841f1ee6eb 100644 --- a/source3/lib/tldap_util.c +++ b/source3/lib/tldap_util.c @@ -631,7 +631,7 @@ static struct tevent_req *tldap_ship_paged_search( struct tldap_control *pgctrl; struct asn1_data *asn1 = NULL; - asn1 = asn1_init(state); + asn1 = asn1_init(state, ASN1_MAX_TREE_DEPTH); if (asn1 == NULL) { return NULL; } @@ -770,7 +770,7 @@ static void tldap_search_paged_done(struct tevent_req *subreq) TALLOC_FREE(state->cookie.data); - asn1 = asn1_init(talloc_tos()); + asn1 = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); if (tevent_req_nomem(asn1, req)) { return; } diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 4a0fbcd73af..1608f6a9960 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -50,7 +50,7 @@ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, *secblob = data_blob_null; } - data = asn1_init(talloc_tos()); + data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); if (data == NULL) { return false; } @@ -171,7 +171,7 @@ DATA_BLOB spnego_gen_krb5_wrap(TALLOC_CTX *ctx, const DATA_BLOB ticket, const ui ASN1_DATA *data; DATA_BLOB ret = data_blob_null; - data = asn1_init(talloc_tos()); + data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); if (data == NULL) { return data_blob_null; } |