The Samba-Bugzilla – Attachment 15889 Details for
Bug 14334
CVE-2020-10704 [FUZZING][SECURITY] Stack overflow in AD DC (C)LDAP server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch for master
14334.patch (text/plain), 17.50 KB, created by
Gary Lockyer
on 2020-04-02 19:57:18 UTC
(
hide
)
Description:
Proposed patch for master
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-04-02 19:57:18 UTC
Size:
17.50 KB
patch
obsolete
>From 033569b4417ceb35c616a5ca86efce41971883f4 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 2 Apr 2020 15:25:53 +1300 >Subject: [PATCH] libcli ldap: limit recursion depth in ldap_decode_filter_tree > >Limit the number of recursive calls to ldap_decode_filter_tree to prevent >stack overflows. The depth is limited to 253 which is small enough to >avoid ASAN detecting a stack overflow, but large enough to be useful. > >Credit to OSS-Fuzz > >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > libcli/ldap/ldap_message.c | 28 ++- > .../tests/data/clusterfuzz-ldap_decode-20454 | Bin 0 -> 74583 bytes > libcli/ldap/tests/ldap_message_test.c | 193 ++++++++++++++++++ > libcli/ldap/wscript_build | 15 ++ > source4/selftest/tests.py | 2 + > 5 files changed, 233 insertions(+), 5 deletions(-) > create mode 100644 libcli/ldap/tests/data/clusterfuzz-ldap_decode-20454 > create mode 100644 libcli/ldap/tests/ldap_message_test.c > >diff --git a/libcli/ldap/ldap_message.c b/libcli/ldap/ldap_message.c >index f21598374a1..c6882bf1f70 100644 >--- a/libcli/ldap/ldap_message.c >+++ b/libcli/ldap/ldap_message.c >@@ -26,6 +26,13 @@ > #include "../lib/util/asn1.h" > #include "../libcli/ldap/ldap_message.h" > >+/* >+ * The maximum depth that we'll recursively call ldap_decode_filter_tree >+ * 253 is chosen as it's small enough to not trigger the ASAN stack overflow >+ * check, but large enough to be practical in actual use. >+ */ >+#define MAX_FILTER_TREE_DEPTH 250 >+ > _PUBLIC_ struct ldap_message *new_ldap_message(TALLOC_CTX *mem_ctx) > { > return talloc_zero(mem_ctx, struct ldap_message); >@@ -774,12 +781,23 @@ static struct ldb_val **ldap_decode_substring(TALLOC_CTX *mem_ctx, struct ldb_va > /* > parse the ASN.1 formatted search string into a ldb_parse_tree > */ >-static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx, >- struct asn1_data *data) >+static struct ldb_parse_tree *ldap_decode_filter_tree( >+ TALLOC_CTX *mem_ctx, >+ struct asn1_data *data, >+ unsigned int depth) > { > uint8_t filter_tag; > struct ldb_parse_tree *ret; > >+ /* >+ * Limit the depth of recursion we'll allow to avoid stack overflow >+ * attacks >+ */ >+ depth++; >+ if (depth > MAX_FILTER_TREE_DEPTH) { >+ return NULL; >+ } >+ > if (!asn1_peek_uint8(data, &filter_tag)) { > return NULL; > } >@@ -803,7 +821,7 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx, > > while (asn1_tag_remaining(data) > 0) { > struct ldb_parse_tree *subtree; >- subtree = ldap_decode_filter_tree(ret, data); >+ subtree = ldap_decode_filter_tree(ret, data, depth); > if (subtree == NULL) { > goto failed; > } >@@ -830,7 +848,7 @@ static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx, > } > > ret->operation = LDB_OP_NOT; >- ret->u.isnot.child = ldap_decode_filter_tree(ret, data); >+ ret->u.isnot.child = ldap_decode_filter_tree(ret, data, depth); > if (ret->u.isnot.child == NULL) { > goto failed; > } >@@ -1269,7 +1287,7 @@ _PUBLIC_ NTSTATUS ldap_decode(struct asn1_data *data, > r->timelimit = timelimit; > if (!asn1_read_BOOLEAN(data, &r->attributesonly)) goto prot_err; > >- r->tree = ldap_decode_filter_tree(msg, data); >+ r->tree = ldap_decode_filter_tree(msg, data, 0); > if (r->tree == NULL) { > goto prot_err; > } >diff --git a/libcli/ldap/tests/data/clusterfuzz-ldap_decode-20454 b/libcli/ldap/tests/data/clusterfuzz-ldap_decode-20454 >new file mode 100644 >index 0000000000000000000000000000000000000000..2b929069d081831a974b74d37ecbba83c0c743d0 >GIT binary patch >literal 74583 >zcmeI4F|r=XafGqEj8Mc{y2EeM(H(FI88T_e)e(4<wPo>Y(g}n{@k3_T^i0pZf1gB= >z9SEqat1`1{vU>)=TZaDS%g?|3^7@ZI{rrb7zy9=Zzy9)H|NW<*fBwU-KY#h@r~mxz >zm*2kp^>;;mPj#$b^Ig?cWv`4P^fL3yZ~xrXg?qnK@8ycBDN=8uv94x(m!G{-ZFE;g >z5gcV4S5tdNxFfUB`y6lv_xfHQDgu+4yfI*A>u~*#-%t3T?0tNG7I{xbCr)3JDPj_3 >zgjY>f^psH~JW-*aKLh-nW!5QkXZS?bRP?wr<94t+`1*cRmCbvOU*&C{3cibb=LBG( >z*!NOX1ST^%DVW*1-^k<1WhR{+9*$q`WoA@U1UfT$O0HUpWRg`Apjf->ug|;u?3HR~ >z&km=feNr&9b>GW$c6gK-clPV|`#9?E<rzLvrJOuJC08v)GSX3mjxsq#byJnSGK!8` >zg}$B+7Rr4ueMMk+GT#d|iwgNVIDb8(l+=l6tgA0WVpA>s&RS_F+b8u(j|Xo5-7WoG >zdwma|sMRTruAELypuO@$rRJx6<QK;CWKzWu&w9E}kN3^0Q*>W4GxIugXZS>o4w+ef >zX%hXM-=C@PrLPD~W^z(6vsL#=3dwdC(z&5WRS{jN_}+VvFBO01ywYRMyZ=>;H|f1R >z_B!!c&+s#5^8A$ie9<fg=_o=+nVf>Tz_E9{*Q)NBkK9`LIg5IFop`Kg_|ANNLnd$K >zprfmkXFm5C&pUag$NP=U+c5meOx^+N?&BGL#!TMoK9$1zI^MOOz%#%1y&Qg^pWak& >zRoN?}$Q6jM@H1xeR&G1GI(g>zb}6;lxpy^#XWo5Ax}e<m(pLn==YTKNEE1Ebc>f>H >z;W(*3Lyz}YbpD=S-wIXBZNFivDZ=&4tlmph#Zq)soIeM+t2x1>`f55@DEGb86oKK% >zd@s~2D&)()&m*&%QA+AWbcdhVR7=0JR@%w-Z--ZUyx+)lw!9oUoKmDr=2Ag5MPd?- >zb$y>o;e8$NTAe+!nj^6}&DpcV>F9kg-GRJkzN=H}?m5D1U%%g0ufi8<7Tq}|R~>Qv >zD*ZXX*Ic1$nuWbGistH{dt0-+p0z&{v(@_g=89)lGbTE<Yxfzqq`GGBoYbG8$NNu; >zybX0uez((E>h5DI2(JiqX7ZG>XKH?o&#b-caj%S`J3Yb7)_t>%XPB9p*O@!RC#ufb >z&)|RKX3=lVNL-V6CTmqsw0{%5(qr8xX|A5rHJB<r9SAC*Gox;WeLnC0Y5yH(pPWRV >zNipeBJ3l2q-#S||(ouwtGI<|LUsd+XC^~8t`g%H8DEGbe6%`hw@`{eN;#|-2E}yQ| >zE7j81tQ8(M=jD6h6{$`%){lH8;IC)Q?q~Q!)l~GjGvmAb?3HR~GsEd<zcFBD>%i^* >zB}sR0xQ$zil*!!L*(7SPGqbw$;Kfp;Srmcy4Dnd&7nv)qLi-(Z?bJaTUG~yf1jf~_ >z@SXX3>>wRkQ*m_yu$Zy$rKSi>X0j8Q*}C7z`Tdfgitz8F_vy&HzVqN`6EMqI^R!`A >zW$fPNXRlOC{jAjl$@VAqN{{!wOlQkWKTG%e>;Adm_j~UC;F#a6^wb@!c*YlM7M1#| >zy<_{0OsD-Ut}2|BoIYmG`N9s2c0{bIjm+w-U=_A=SDo(R6IGqEuYWhQ=h(f==h;%H >z>t?6Ku4eY9>GA&7r?bb?n0cMKR8UP3u4iU-`x9N0p;Wu;o0-^DJDV9!M|&qQvsL#= >z3ajUIoiW$g=X_*3(tBj>`Mmq*f;gDo%VVz-kM#^cV<yi}X{b;|vof9s!Rj?v81>oS >z@o2EBR_yEPU=_A=y?550;5+kW9^IL-^L?s2{DI;3k?R@ZgeMwnegnMHV|_vP8;Li= >zKRK+(>%?O{!_Sz>yT0>G@xG3Ct%*I8w}q~S^BtMwI-(}cjPLF$^bUP5M`jUd)vE8x >zZFsED_^_&1=ei47D?Dt+p(MN_;fV@;{fvoCwb5A_MR2@Yy*wklA~A`IcRk~~{Opx# >z>t{^1PwJH(58VD~|5LB;;S)8S&&=xU1zs#goTD;%L#msq?3Gb;)GD;!A!a%1kU@pL >z^c8_|wJUsQz8*VBN7htaod7Im?0cyx0+X5S1ZKAGH?nSW{a<&8TXR(bpYD&WGUt4; >z6HlI1TBZEA_on##cV+~yCsTBM>VE_WUv^{eIfzfJ>0o{V@Vk_KM+O!4Qd0ybGua8u >zY~A0Q`AwFeitulCRzl4pF^R^Sr{t<N6B#MO&dgc|9_uqctg$i^xy+<);X&5Uzms0+ >z@xGVoY`N#|yVqZT{3O(UOa<W;fzHhOJ{4XpMMuS)g69CoUJ8o9WM(xTER_3RYKp+P >zzwm{cMa6u5doR!^p5Jp<EjJQfj3@lWrdo9Xk+oGPShID%k?CxCnP=O5^Xe7;*(ted >z&Gat+I2##%qUuHFSx;EAb>FOXc6gMTnb(;+!zZeg{R~!L(|7sVE7i_shSSmhO$9Ss >zb)TfLdQR6FbB%q@N2VjaN7kOtyZ<`|4yO0=*z3e&J;TqK$@5bhDpb*|jORhHdd(F^ >zeYSTz8my`n`+7Q9h3#DLowX<U&U~3icV_H-pXv^OVEBFHdPX?miN>1W0I&2|Uy%Jq >z;?3|+4lD9H@mSCBGiLIx?>tkyuj5^7V$bAlp=;rMM<%(Bs7W*9ySoa#L*L7hSp-_O >z>br6q9_uqctm@Ud?n2fI58H7l39m?aqC#IkV`5WnbXG<Y9IsX{&j_zbOrqjl&-gAs >zd!^d?8I$dkdZot$xBtuHQ?Kvg6E&RA%<Ag}UMxkNqcV9zs++3pl~HumDzx7rW;yDR >zL502a6@hWJD|~0Z9y>@!)>K@b04!$gd#Nb`lbP%UX14A(a(<KLry~6O=zTi!uJ1hf >z*#yio);w)kRT;Z?`PnPgQa@`oL9+dcz0%`-FVorb($CVp{`%vm6YgUw2(JiqX4dzq >z@M0-CD&`bC2RQapPy{A3tLb2&-1kyb1jhY^FVrk5=BvG9s~M%F&P3JM-xHtebKUeA >zdc5Drx%WCtMR?~YSLf;(;T4HVRJ`l^@Gk#28=0J9K0TP6BHsZpvvuFBzwevHnfvV- >zxqRxpJynNUJAVhf(qr8xY36P8NpgznRJ`*F9TTB$rSg2<{j<e8&iWax@OdW1gi|{| >zrQ^LIBOOKPD3kZ0^i^fAjH07fp|7Wdg>v6ZUr}K}DzE5RE6(*S@ABzdy;3cG&067M >zb6&m|UXkiVWBtfi0{(i&?0$w%R82*XJ2Sq^&t9o^HZz=#_8S9cwhr9>xnOs1xQ$zi >zl*!!L*(7SPGqbw$;Kfp;Srmcy4Dnd&7nv)qLi-(Z?bJaTUG~yf1jf~_@SXX3>>wRk >zQ*m_yu$Zy$rKSi>X0j8Q*}C7z`Tdfgitz8F_vy&HzVqN`6EMqI^R!`AW$fPNXRlOC >z{jAjl$@VAqN{{!wOlQkWKTG%e>;Adm_j~UC;F#a6^wb@!c*YlM7M1#|y<_{0OsD-U >zt}2|BoIYmG`N9s2c0{bIjm+w-U=_A=SDo(R6IGqEuYWhQ=h(f==h;%H>t?6Ku4eY9 >z>GA&7r?bb?n0cMKR8UP3u4iU-`x9N0p;Wu;o0-^DJDV9!M|&qQvsL#=3ajUIoiW$g >z=X_*3(tBj>`Mmq*f;gDo%VVz-kM#^cV<yi}X{b;|vof9s!Rj?v81>oS@o2EBR_yEP >zU=_A=y?550;5+kW9^IL-^L?s2{DI;3k?R@ZgeMwnegnMHV|_vP8;Li=KRK+(>%?O{ >z!_Sz>yT0>G@xG3Ct%*I8w}q~S^BtMwI-(}cjPLF$^bUP5M`jUd)vE8xZFsED_^_&1 >z=ei47D?Dt+p(MN_;fV@;{fvoCwb5A_MR2@Yy*wklA~A`IcRk~~{Opx#>t{^1PwJH( >z58VD~|5LB;;S)8S&&=xU1zs#goTD;%L#msq?3Gb;)GD;!A!a%1kU@pL^c8_|wJUsQ >zz8*VBN7htaod7Im?0cyx0+X5S1ZKAGH*$WH<)<S2`{;c-@~-bZ_}K)^GS)n8SXCLj >zclp^X)lxreH9@ldiM`U}eJ|75^3u=Jz5e>+rxWgDDhRI#bY|A~sqkVcIx6NAJO?=T >zQcwgYGpp%fq1^XUQv}BSg)h`BD(0)bW2+gZq|QXu*WVML>T})n8G5|m$hr4AOGS9+ >zCs*g{8Q~R)NmRV+`|vLRI2)OqVm>{XoFd-=Ftc^vtiSJ@#hLr<8M%DwyggNiSv!9R >zywYRcCu!zw^ht7x>Qub*3LO)nZl&^k-u<)1JI?wUt?+p!#e`EkKc(ZnAR`?`=qQu- >zq4ZT{uZ*IjR-vz_gN1V6OJ5Nfp3L_`&7wlS_TP05U#^*#!>#&-!(?hDE2oc{bH1?N >z`%0_2{_Wi-pa0H`;NN}Lcln$^&75j^ZdogQvi(%N(&K^KKR-=B*IwVlCu(&{+`_`u >z45c6)MVzBDIW;Qa*gM{9RrkzC{(b{LXHieDSI4Z~<++X&W|5FY)z{yT(UodVpuO@$ >zcld>IT{5ZSh-W=rr^ox9u2XbhGBfi!b7%NOjSiVvy)}t`&hO9E_tIAcCNnwdH_V^G >z^;P%jo5Ej8CE4ymIybbaDxw1w-)l-mrQ+`_jM=Jr_rHGdC%sQ+%iYYK;S*I%deqKO >z$<MbG$w)^LI?Ch}rLQV`WfUE?3Vl5tER_3R`ij8tWWJxFsIw+!^<E`<Xk=!^r)x1g >z*VVGN>g2jT*83>UkIebrZOD#&M&E1R{r$j~^j_!ab>gv};b+X`UB972xAb9MDdrT+ >z1(UrL6oJW1-XUf=>X1Q&z0?$eakVRaXTBbO0XqNK_xc2wml^wB`ij70Cfx)xTlX6| >zPN}=+nXC;Dy~<vwS%mYd6;Jo!t^X+eIy``cbKKhH7&Qtb_Q7WS#HL!uJGQhvvoC5o >zFx<nRbh5ltmAx{GT!HusKVv3ub)QP%eI4&w6MN=!y*lsYl^*X8==`4QE-1n~zvUyB >z3c@QAlc;!4@8y+ZPQhH+&nLgqx-(r@?tAGg0>d1vo)=n?*NMkkzsLx$=vXV>%6WLK >zsd(p2&e^JKSMlf1TH)zlJD=GrJ>Kv1+<Q5!2=DwP%5BdGuSiUy;`u41#&N1*JmDuc >zr%C;+tvb1Gk9D7<dFKs42N!a_nn;T5l~GhRcNXp0s(JT6)A1+0PiM>B%$?yARZM!+ >z&QFPxr-M|bqX->kgjY>fsj5oE+R@k3!5XX2&R%MY;9TQ{B4SOY)q9obp^=#tpRUF1 >zTvyB5s*~&XSns1WKQiZ-P6|(-AUpOMeXn`<_XA(j`#gmwCoyBvqjav{P;P*96rrO` >zPW@!gqt>12V12BU=7z7#EUIp=!#lBZ(5I|Up2_zFzYFI(GRbv>W(Jd)>;z`E?l*Gy >z+THU^)`o{(WiQk$!g<w-x4KV-PgXHeyr<*nC;T5ja=O#Tn;b2=t~&nN<GOB-b-ATk >zug3HY2fco|kdOA|-yPwn=ZqdR#zK2C)6))Le%pVp;(ofV3*dF)v7X^)%;fng4Hc?r >zR>t!nSiR;7qdwa^9t~F2ihVsDtipD#_s*K*9YtPfMfAFhpE1#>KG)CoF8}x}WO53B >zo@YH>r^n;j_Ww*Y{Txm!qX_T3I&x?D8551-eg4g&-`$yoCpu2*l^*Lp>FM+Di9Sg> >zSDlJ?UZG<m)U8z9Ss1fb^X@;>@aM|ea<{uZ7-Aozd1iGlP@QQX6?5uQhcB#Wq^dem >zvHcDu(|3hUwNY0_5&B+*KSP0MP0ZRqc&yL(u*P~laq1R6+3uxRdaU<Rnycq@4d$Fr >z+>zcRYtQH1-wzy2@8z-AiN|_|pD~l?r!-WkqFEWwgJAWVD~$SV?|3v=RV()Obg&BB >zx!yZ#Pw<`jGLP=e*!e!y9sa=Z`^fc-aKaOfHNOE~$@oXRBCT3v+ksYQ7ST+#>T`Y6 >zs3xnJDBja?^mD$mnTg!lv#U-t*1N}1xcv`|Jo$64zka{Jch4qO>s-!H$yI9tGSX3m >zjxxm|U)@w?uZ$u%naMlEEJqzOsIZrsA~3FYh40Llz5m5qz1ehRO~ucBMtUA6^-7P& >z6YV#$pOfF1td+Z&8)#)_5w5FNI-h@^a<(Va-<cWAY~43&?!E4SBK-4vG;*mRydp7) >ziud_9i+*=!7M|!hsaJZe`=qD;$QLy|tr?`qUKvGIb7%XEzSq3_AA|Uk-lwzWZsyML >zi7F;NYUiiqH?$PVNJkMm%H$NKuPS?G6dkn+eLWp4l>1)#iooz>z87j174l_&f{o1T >z&61Kj5#8Y@Hr3Matd(}M-A%9bc)yY9Y<W3yIHgFL%%y^Aio_%u>-s*G!uvYjwK{ud >zHAiA|nzLtz)6x50x&wL7d{?K`-E&0Np5SLp&Z~5;XJiWLC_+b>f!6NHoJXxY)4}>! >zr<!y&v7SK@z3$>?Of+iVmGh1+hG*`)$)9^3K249uv+aLZ=N-t?$XcCm=FaemDyI9t >zx*6~CvsbE}%?zib{T=v*`7^k_>OOr_*#F;I;yat34(F7~^QfAt?3Gc(31nt<w_u^% >z_fk^?#^;7F)GQK{sCa&>T(#UFb5F52sV`>rL$P*_J!byz9AvJX{`rLO@|mMLr&_w5 >zwbi7q+vE6t{Pq3#$VudUPoE$=_8EPzdG}9G@Fl&U-Hpth;S*J7NRQg>??-ub*TI+l >ziF40E_q!OL$@gSTK{Y2TrmF0fQ6vSTLi<^JrN{e?oO>^a72%zqT)FKT;T4HVR6L#1 >zTmMn`Wml;S=i}Ax$zU^nK18Z@ykl!N&*UrNl^*Yln$DJ&BZpIpl*wEwsHR9vqOs;F >zWzW(qh4*#5YjyU_YL3L_G-uBar=#_1W(7R!zL)9j@Fg=x|3)4EuJDN}Wb*u!T$LG0 >zK{|@iQ6{HmE^zD}@3pFX=5udr&Ed~{Z$iy~g-_J;XM2}_oQ=#_`JE@Gyy`?_&GYa| >zkM}#B&X#+A*JfU4E)`T$gzK5fQ_7yH`7u5$o~iFOjUq6a$w|S?R^2BlB>VWBu0!?s >z{8T_ELfu9^JHnW)ns@&*9e=KzEqA-yem1Hpk}^^0{G<Pwh8yX)vP7)uXx{QXgFA{V >zK3&J^>g+X*A~>1JPGDxM-bX1U+b5aNb)1ikcTBFj71nR2vwEy~_xA&DuAD7*yW4rD >z(jj8)JU^w>s2K_`mZGC#PCe?b$X*JHj#`Djo(>kueJ_1QVD3)VnXhlpghutfo-xtI >zc*0L?s-?eKTXk~X9`83Yoh>i@#>~9VTq>xh2-h>S`cgARvT8yUYxi0A^3nCrk#gw1 >zJMNWHgkomWHZZeQms<+Oo_?){M4ly?AL9G}J4^c}mP7cnaPQ!+jztPYrF?y}6Ps!| >zOV&y|b7%NO6*K!@&p33Gb)}e7JeiZ3QaxW5W<j@Ok9%blsZ-@#^{9N#a~+{(k&r~y >zXXU)3i{Y6&-hA$P_%uD%$7}yx8E^75bW^-eJk~S(jG4U8zghGfGZJ6T45p)fQZTbs >z_elzO-T<_iGd&$uDvtCX<O}<J-hKaZFuj(?UMDWM{cMC+1UfUTdx5H0ijImoHFJSu >zF9k(lGP9Zv7Rr4uHAP@}GT+Zo)L9d=nlRBrBQq;LU5nYdu9me`C)e%q{(j&H{>ocL >z!YBgo8RD_lFEUqJh4wF~Yo`v%=(3l-A~3FYg`Y9eDBksq^pTDtbd>o$o(t7G(<N4O >z6qng+=UD2V%h{!+sL-#6Ux3c{scMev6X-Mcz4R4<$xME$z|2;CLH3{M_;YqYyiPpU >zGkl&&A(MA~AGkm7>v-2EbF{w%Uytie7@b@`!m;X^#IDAr!)(>%mS(*g-_Oh`3@}!K >QtGVqz<7Z9Z<^T1602Ntcxc~qF > >literal 0 >HcmV?d00001 > >diff --git a/libcli/ldap/tests/ldap_message_test.c b/libcli/ldap/tests/ldap_message_test.c >new file mode 100644 >index 00000000000..17e3e1003ee >--- /dev/null >+++ b/libcli/ldap/tests/ldap_message_test.c >@@ -0,0 +1,193 @@ >+/* >+ * Unit tests for ldap_message. >+ * >+ * Copyright (C) Catalyst.NET Ltd 2020 >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ * >+ */ >+ >+/* >+ * from cmocka.c: >+ * These headers or their equivalents should be included prior to >+ * including >+ * this header file. >+ * >+ * #include <stdarg.h> >+ * #include <stddef.h> >+ * #include <setjmp.h> >+ * >+ * This allows test applications to use custom definitions of C standard >+ * library functions and types. >+ * >+ */ >+#include <stdarg.h> >+#include <stddef.h> >+#include <setjmp.h> >+#include <cmocka.h> >+ >+#include "lib/util/attr.h" >+#include "includes.h" >+#include "lib/util/asn1.h" >+#include "libcli/ldap/ldap_message.h" >+#include "libcli/ldap/ldap_proto.h" >+ >+/* >+ * declare the internal cmocka cm_print so we can output messages in >+ * sub unit format >+ */ >+void cm_print_error(const char * const format, ...); >+/* >+ * helper function and macro to compare an ldap error code constant with the >+ * coresponding nt_status code >+ */ >+#define NT_STATUS_LDAP_V(code) (0xF2000000 | code) >+static void _assert_ldap_status_equal( >+ int a, >+ NTSTATUS b, >+ const char * const file, >+ const int line) >+{ >+ _assert_int_equal(NT_STATUS_LDAP_V(a), NT_STATUS_V(b), file, line); >+} >+ >+#define assert_ldap_status_equal(a, b) \ >+ _assert_ldap_status_equal((a), (b), __FILE__, __LINE__) >+ >+/* >+ * helper function and macro to assert there were no errors in the last >+ * file operation >+ */ >+static void _assert_not_ferror( >+ FILE *f, >+ const char * const file, >+ const int line) >+{ >+ if (f == NULL || ferror(f)) { >+ cm_print_error("ferror (%d) %s\n", errno, strerror(errno)); >+ _fail(file, line); >+ } >+} >+ >+#define assert_not_ferror(f) \ >+ _assert_not_ferror((f), __FILE__, __LINE__) >+ >+struct test_ctx { >+}; >+ >+static int setup(void **state) >+{ >+ struct test_ctx *test_ctx; >+ >+ test_ctx = talloc_zero(NULL, struct test_ctx); >+ *state = test_ctx; >+ return 0; >+} >+ >+static int teardown(void **state) >+{ >+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, >+ struct test_ctx); >+ >+ TALLOC_FREE(test_ctx); >+ return 0; >+} >+ >+/* >+ * Test that an empty request is handled correctly >+ */ >+static void test_empty_input(_UNUSED_ void **state) >+{ >+ struct test_ctx *test_ctx = talloc_get_type_abort( >+ *state, >+ struct test_ctx); >+ struct asn1_data *asn1; >+ struct ldap_message *ldap_msg; >+ NTSTATUS status; >+ uint8_t buf[0]; >+ size_t len = 0; >+ >+ >+ asn1 = asn1_init(test_ctx); >+ assert_non_null(asn1); >+ >+ asn1_load_nocopy(asn1, buf, len); >+ >+ ldap_msg = talloc(test_ctx, struct ldap_message); >+ assert_non_null(ldap_msg); >+ >+ status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg); >+ assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status); >+} >+ >+/* >+ * reproducer for oss-fuzz issue 20454 >+ * >+ * Note that this test needs to be run with ASAN enabled, as it checks a stack >+ * overflow condition. >+ */ >+static void test_oss_fuzz_20454(_UNUSED_ void **state) >+{ >+ struct test_ctx *test_ctx = talloc_get_type_abort( >+ *state, >+ struct test_ctx); >+ struct asn1_data *asn1; >+ struct ldap_message *ldap_msg; >+ NTSTATUS status; >+ FILE *f = NULL; >+ uint8_t *buffer = NULL; >+ const size_t BUFF_SIZE = 1048576; >+ size_t len; >+ >+ >+ /* >+ * Load the oss-fuzz generated test data that triggered a stack >+ * overflow. >+ */ >+ buffer = talloc_zero_array(test_ctx, uint8_t, BUFF_SIZE); >+ f = fopen( >+ "./libcli/ldap/tests/data/clusterfuzz-ldap_decode-20454", >+ "r"); >+ assert_not_ferror(f); >+ len = fread(buffer, sizeof(uint8_t), BUFF_SIZE, f); >+ assert_not_ferror(f); >+ assert_true(len > 0); >+ >+ asn1 = asn1_init(test_ctx); >+ assert_non_null(asn1); >+ asn1_load_nocopy(asn1, buffer, len); >+ >+ ldap_msg = talloc(test_ctx, struct ldap_message); >+ assert_non_null(ldap_msg); >+ >+ status = ldap_decode(asn1, samba_ldap_control_handlers(), ldap_msg); >+ assert_ldap_status_equal(LDAP_PROTOCOL_ERROR, status); >+} >+ >+int main(_UNUSED_ int argc, _UNUSED_ const char **argv) >+{ >+ const struct CMUnitTest tests[] = { >+ cmocka_unit_test_setup_teardown( >+ test_empty_input, >+ setup, >+ teardown), >+ cmocka_unit_test_setup_teardown( >+ test_oss_fuzz_20454, >+ setup, >+ teardown), >+ }; >+ >+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); >+ return cmocka_run_group_tests(tests, NULL, NULL); >+} >diff --git a/libcli/ldap/wscript_build b/libcli/ldap/wscript_build >index db5b1df497a..a646685c751 100644 >--- a/libcli/ldap/wscript_build >+++ b/libcli/ldap/wscript_build >@@ -6,3 +6,18 @@ bld.SAMBA_LIBRARY('cli-ldap-common', > private_headers='ldap_message.h ldap_errors.h ldap_ndr.h', > deps='samba-util asn1util NDR_SECURITY tevent', > private_library=True) >+ >+bld.SAMBA_BINARY( >+ 'test_ldap_message', >+ source='tests/ldap_message_test.c', >+ deps=''' >+ cmocka >+ talloc >+ ldb >+ samba-util >+ asn1util >+ NDR_SECURITY >+ cli-ldap >+ ''', >+ for_selftest=True >+) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 81a988ac35c..d49787d2246 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1361,6 +1361,8 @@ plantestsuite("librpc.ndr.ndr", "none", > [os.path.join(bindir(), "test_ndr")]) > plantestsuite("librpc.ndr.ndr_macros", "none", > [os.path.join(bindir(), "test_ndr_macros")]) >+plantestsuite("libcli.ldap.ldap_message", "none", >+ [os.path.join(bindir(), "test_ldap_message")]) > > # process restart and limit tests, these break the environment so need to run > # in their own specific environment >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14334
:
15889
|
15893
|
15894
|
15895
|
15896
|
15906
|
15907
|
15910
|
15914
|
15915
|
15916
|
15917
|
15918
|
15920
|
15922
|
15923