CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user

This regression was introduced in Samba 4.7 by bug 12842 and in master git commit eb2e77970e41c1cb62c041877565e939c78ff52d. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552 CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
author: Andrew Bartlett <abartlet@samba.org> 2018-07-30 14:00:18 +1200
committer: Karolin Seeger <kseeger@samba.org> 2018-08-11 08:16:01 +0200
commit: 87aa836153e6fb48ea05d3fd98b8e05c527daf72 (patch)
tree: 237e6e037e4ad9dc0a7f6ff84d7706bbee8ec9ef /source4/dsdb
parent: 5923c3ccfc11462b841db9e015a33e5f96459e47 (diff)
download: samba-87aa836153e6fb48ea05d3fd98b8e05c527daf72.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index d43f510b949..3b215ac0ec9 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -1253,7 +1253,13 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
 		return WERR_OK;
 	}
 	case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
-		if (result->elements[0].num_values > 1) {
+		struct ldb_message_element *el
+			= ldb_msg_find_element(result,
+					       "servicePrincipalName");
+		if (el == NULL) {
+			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
+			return WERR_OK;
+		} else if (el->num_values > 1) {
 			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
 			return WERR_OK;
 		}
author	Andrew Bartlett <abartlet@samba.org>	2018-07-30 14:00:18 +1200
committer	Karolin Seeger <kseeger@samba.org>	2018-08-11 08:16:01 +0200
commit	87aa836153e6fb48ea05d3fd98b8e05c527daf72 (patch)
tree	237e6e037e4ad9dc0a7f6ff84d7706bbee8ec9ef /source4/dsdb
parent	5923c3ccfc11462b841db9e015a33e5f96459e47 (diff)
download	samba-87aa836153e6fb48ea05d3fd98b8e05c527daf72.tar.gz