summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorGarming Sam <garming@catalyst.net.nz>2018-11-05 16:18:18 +1300
committerKarolin Seeger <kseeger@samba.org>2018-11-28 08:22:24 +0100
commitd2c98abde12d11d64cc62697f633fc5db75502ef (patch)
tree0b05dcfedfe77d2ffcf92c1bc67aab7313ecfce5 /source4
parentc835e27a998fa6bfb49a48581c65224c4c02880e (diff)
downloadsamba-d2c98abde12d11d64cc62697f633fc5db75502ef.tar.gz
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in the server. Note that you would actually need to load >256MB of data into the LDAP. Although there is some generated/hidden data which would help you reach that limit (descriptors and RMD blobs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/ldap_server/ldap_server.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index f6329f05c5a..783823043dc 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
ret = data_blob_append(call, &blob, b.data, b.length);
data_blob_free(&b);
- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
if (!ret) {
ldapsrv_terminate_connection(conn, "data_blob_append failed");
return;
}
+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
DLIST_REMOVE(call->replies, call->replies);
}
View Lorry Controller Status