diff options
author | Andrew Bartlett <abartlet@samba.org> | 2018-07-30 14:00:18 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-08-11 08:16:01 +0200 |
commit | 87aa836153e6fb48ea05d3fd98b8e05c527daf72 (patch) | |
tree | 237e6e037e4ad9dc0a7f6ff84d7706bbee8ec9ef /source4/dsdb | |
parent | 5923c3ccfc11462b841db9e015a33e5f96459e47 (diff) | |
download | samba-87aa836153e6fb48ea05d3fd98b8e05c527daf72.tar.gz |
CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
This regression was introduced in Samba 4.7 by bug 12842 and in
master git commit eb2e77970e41c1cb62c041877565e939c78ff52d.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552
CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/cracknames.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index d43f510b949..3b215ac0ec9 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -1253,7 +1253,13 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ return WERR_OK; } case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: { - if (result->elements[0].num_values > 1) { + struct ldb_message_element *el + = ldb_msg_find_element(result, + "servicePrincipalName"); + if (el == NULL) { + info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND; + return WERR_OK; + } else if (el->num_values > 1) { info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE; return WERR_OK; } |