From 0203052d277dba99cca48eb3408d0f13e73664f8 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 5 Mar 2021 20:13:01 +1300
Subject: [PATCH 1/2] CVE-2021-20277 ldb tests: ldb_match tests with extra
 spaces

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/ldb/tests/ldb_match_test.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c
index 3028aed072c..1bb56d072d9 100644
--- a/lib/ldb/tests/ldb_match_test.c
+++ b/lib/ldb/tests/ldb_match_test.c
@@ -181,6 +181,10 @@ static void test_wildcard_match(void **state)
 	size_t failed = 0;
 	size_t i;
 	struct wildcard_test tests[] = {
+		TEST_ENTRY("                     1  0", "1*0*", true, true),
+		TEST_ENTRY("                     1  0", "1 *0", true, true),
+		TEST_ENTRY("                     1  0", "*1 0", true, true),
+		TEST_ENTRY("1    0", "*1 0", true, true),
 		TEST_ENTRY("The value.......end", "*end", true, true),
 		TEST_ENTRY("The value.......end", "*fend", false, true),
 		TEST_ENTRY("The value.......end", "*eel", false, true),
@@ -203,8 +207,12 @@ static void test_wildcard_match(void **state)
 		TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true,
 			   true),
 		/*
-		 *  We allow NUL bytes in non-casefolding syntaxes.
+		 *  We allow NUL bytes and redundant spaces in non-casefolding
+		 *  syntaxes.
 		 */
+		TEST_ENTRY("                  1  0", "*1  0", true, false),
+		TEST_ENTRY("                  1  0", "*1  0", true, false),
+		TEST_ENTRY("1    0", "*1 0", false, false),
 		TEST_ENTRY("1\x00 x", "1*x", true, false),
 		TEST_ENTRY("1\x00 x", "*x", true, false),
 		TEST_ENTRY("1\x00 x", "*x*", true, false),
-- 
2.20.1


From ef87cb694daea95b3021ccc80236a97570e7546f Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 8 Dec 2020 21:32:09 +1300
Subject: [PATCH 2/2] CVE-2021-20277 ldb/attrib_handlers casefold: stay in
 bounds

For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/ldb/common/attrib_handlers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index b5212b73159..c6ef5ad477b 100644
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
 	
 	/* remove leading spaces if any */
 	if (*s == ' ') {
-		for (t = s; *s == ' '; s++) ;
+		for (t = s; *s == ' '; s++, l--) ;
 
 		/* remove leading spaces by moving down the string */
 		memmove(t, s, l);
-- 
2.20.1