diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-03 12:18:03 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-21 10:21:09 +0200 |
commit | 2aa1d7a8e42b8cdd7f7c26c3fe7b73fdcb94b31b (patch) | |
tree | f10a729238b1082e725de2c471c747eb569a805e /source4 | |
parent | 100821b43c4b1450832e1143952377becdf0e4d8 (diff) | |
download | samba-2aa1d7a8e42b8cdd7f7c26c3fe7b73fdcb94b31b.tar.gz |
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 4 | ||||
-rw-r--r-- | source4/ldap_server/ldap_server.c | 2 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_client.c | 2 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_controls.c | 48 |
4 files changed, 28 insertions, 28 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 0323da87d29..b735063656a 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -444,7 +444,7 @@ static DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLO struct asn1_data *data; DATA_BLOB ret = data_blob_null; - data = asn1_init(mem_ctx); + data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data || !ticket->data) { return ret; } @@ -478,7 +478,7 @@ static DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLO static bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]) { bool ret = false; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); int data_remaining; if (!data) { diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 90d32c6833a..ebd81127f37 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -560,7 +560,7 @@ static void ldapsrv_call_read_done(struct tevent_req *subreq) return; } - asn1 = asn1_init(call); + asn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH); if (asn1 == NULL) { ldapsrv_terminate_connection(conn, "no memory"); return; diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 1cbcd0d42d5..1113af14f92 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -284,7 +284,7 @@ static void ldap_connection_recv_done(struct tevent_req *subreq) return; } - asn1 = asn1_init(conn); + asn1 = asn1_init(conn, ASN1_MAX_TREE_DEPTH); if (asn1 == NULL) { TALLOC_FREE(msg); ldap_error_handler(conn, NT_STATUS_NO_MEMORY); diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c index 716ca148308..df012a158e0 100644 --- a/source4/libcli/ldap/ldap_controls.c +++ b/source4/libcli/ldap/ldap_controls.c @@ -32,7 +32,7 @@ static bool decode_server_sort_response(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB attr; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_sort_resp_control *lsrc; if (!data) return false; @@ -79,7 +79,7 @@ static bool decode_server_sort_request(void *mem_ctx, DATA_BLOB in, void *_out) void **out = (void **)_out; DATA_BLOB attr; DATA_BLOB rule; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_server_sort_control **lssc; int num; @@ -166,7 +166,7 @@ static bool decode_extended_dn_request(void *mem_ctx, DATA_BLOB in, void *_out) return true; } - data = asn1_init(mem_ctx); + data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; if (!asn1_load(data, in)) { @@ -198,7 +198,7 @@ static bool decode_extended_dn_request(void *mem_ctx, DATA_BLOB in, void *_out) static bool decode_sd_flags_request(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_sd_flags_control *lsdfc; if (!data) return false; @@ -232,7 +232,7 @@ static bool decode_sd_flags_request(void *mem_ctx, DATA_BLOB in, void *_out) static bool decode_search_options_request(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_search_options_control *lsoc; if (!data) return false; @@ -267,7 +267,7 @@ static bool decode_paged_results_request(void *mem_ctx, DATA_BLOB in, void *_out { void **out = (void **)_out; DATA_BLOB cookie; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_paged_control *lprc; if (!data) return false; @@ -316,7 +316,7 @@ static bool decode_dirsync_request(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB cookie; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_dirsync_control *ldc; if (!data) return false; @@ -372,7 +372,7 @@ static bool decode_asq_control(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB source_attribute; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_asq_control *lac; if (!data) return false; @@ -433,7 +433,7 @@ static bool decode_verify_name_request(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB name; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_verify_name_control *lvnc; int len; @@ -485,7 +485,7 @@ static bool decode_verify_name_request(void *mem_ctx, DATA_BLOB in, void *_out) static bool encode_verify_name_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_verify_name_control *lvnc = talloc_get_type(in, struct ldb_verify_name_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); DATA_BLOB gc_utf16; if (!data) return false; @@ -528,7 +528,7 @@ static bool decode_vlv_request(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB assertion_value, context_id; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_vlv_req_control *lvrc; if (!data) return false; @@ -626,7 +626,7 @@ static bool decode_vlv_response(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; DATA_BLOB context_id; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct ldb_vlv_resp_control *lvrc; if (!data) return false; @@ -682,7 +682,7 @@ static bool decode_vlv_response(void *mem_ctx, DATA_BLOB in, void *_out) static bool encode_server_sort_response(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_sort_resp_control *lsrc = talloc_get_type(in, struct ldb_sort_resp_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -716,7 +716,7 @@ static bool encode_server_sort_response(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_server_sort_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_server_sort_control **lssc = talloc_get_type(in, struct ldb_server_sort_control *); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); int num; if (!data) return false; @@ -782,7 +782,7 @@ static bool encode_extended_dn_request(void *mem_ctx, void *in, DATA_BLOB *out) return true; } - data = asn1_init(mem_ctx); + data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -810,7 +810,7 @@ static bool encode_extended_dn_request(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_sd_flags_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_sd_flags_control *lsdfc = talloc_get_type(in, struct ldb_sd_flags_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -838,7 +838,7 @@ static bool encode_sd_flags_request(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_search_options_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_search_options_control *lsoc = talloc_get_type(in, struct ldb_search_options_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -866,7 +866,7 @@ static bool encode_search_options_request(void *mem_ctx, void *in, DATA_BLOB *ou static bool encode_paged_results_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_paged_control *lprc = talloc_get_type(in, struct ldb_paged_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -901,7 +901,7 @@ static bool encode_paged_results_request(void *mem_ctx, void *in, DATA_BLOB *out static bool encode_asq_control(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_asq_control *lac = talloc_get_type(in, struct ldb_asq_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -936,7 +936,7 @@ static bool encode_asq_control(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_dirsync_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_dirsync_control *ldc = talloc_get_type(in, struct ldb_dirsync_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -972,7 +972,7 @@ static bool encode_dirsync_request(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_vlv_request(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_vlv_req_control *lvrc = talloc_get_type(in, struct ldb_vlv_req_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -1040,7 +1040,7 @@ static bool encode_vlv_request(void *mem_ctx, void *in, DATA_BLOB *out) static bool encode_vlv_response(void *mem_ctx, void *in, DATA_BLOB *out) { struct ldb_vlv_resp_control *lvrc = talloc_get_type(in, struct ldb_vlv_resp_control); - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -1083,7 +1083,7 @@ static bool encode_openldap_dereference(void *mem_ctx, void *in, DATA_BLOB *out) { struct dsdb_openldap_dereference_control *control = talloc_get_type(in, struct dsdb_openldap_dereference_control); int i,j; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); if (!data) return false; @@ -1132,7 +1132,7 @@ static bool encode_openldap_dereference(void *mem_ctx, void *in, DATA_BLOB *out) static bool decode_openldap_dereference(void *mem_ctx, DATA_BLOB in, void *_out) { void **out = (void **)_out; - struct asn1_data *data = asn1_init(mem_ctx); + struct asn1_data *data = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); struct dsdb_openldap_dereference_result_control *control; struct dsdb_openldap_dereference_result **r = NULL; int i = 0; |