From a36db4fceb3235047f190f6d23841394b17aafec Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 May 2018 15:20:26 +1200 Subject: CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use ldb_dn_from_ldb_val() does not validate this untrusted input, so a later call to ldb_dn_get_casefold() can fail if the input is not valid. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 --- lib/ldb/ldb_tdb/ldb_index.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c index 682469396ce..429c8f5aa24 100644 --- a/lib/ldb/ldb_tdb/ldb_index.c +++ b/lib/ldb/ldb_tdb/ldb_index.c @@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module, return LDB_SUCCESS; } if (ldb_attr_dn(tree->u.equality.attr) == 0) { + bool valid_dn = false; struct ldb_dn *dn = ldb_dn_from_ldb_val(list, ldb_module_get_ctx(module), @@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module, return LDB_SUCCESS; } + valid_dn = ldb_dn_validate(dn); + if (valid_dn == false) { + /* If we can't parse it, no match */ + list->dn = NULL; + list->count = 0; + return LDB_SUCCESS; + } + /* * Re-use the same code we use for a SCOPE_BASE * search -- cgit v1.2.1