The Samba-Bugzilla – Attachment 16525 Details for
Bug 14655
CVE-2021-20277 [SECURITY] out of bounds read in ldb_handler_fold
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master (v2)
CVE-2021-20277-ldb_handler_fold-for-master.patch (text/plain), 2.81 KB, created by
Andrew Bartlett
on 2021-03-12 01:10:30 UTC
(
hide
)
Description:
patch for master (v2)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-03-12 01:10:30 UTC
Size:
2.81 KB
patch
obsolete
>From b99589d2050773173fef5ac8627270dbf0193b8d Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 5 Mar 2021 20:13:01 +1300 >Subject: [PATCH 1/2] CVE-2021-20277 ldb tests: ldb_match tests with extra > spaces > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/tests/ldb_match_test.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c >index 3028aed072c..ba6ea56be15 100644 >--- a/lib/ldb/tests/ldb_match_test.c >+++ b/lib/ldb/tests/ldb_match_test.c >@@ -181,6 +181,8 @@ static void test_wildcard_match(void **state) > size_t failed = 0; > size_t i; > struct wildcard_test tests[] = { >+ TEST_ENTRY(" 1 0", "1*0*", true, true), >+ TEST_ENTRY(" 1 0", "1 *0", true, true), > TEST_ENTRY("The value.......end", "*end", true, true), > TEST_ENTRY("The value.......end", "*fend", false, true), > TEST_ENTRY("The value.......end", "*eel", false, true), >@@ -203,8 +205,12 @@ static void test_wildcard_match(void **state) > TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true, > true), > /* >- * We allow NUL bytes in non-casefolding syntaxes. >+ * We allow NUL bytes and redundant spaces in non-casefolding >+ * syntaxes. > */ >+ TEST_ENTRY(" 1 0", "*1 0", true, false), >+ TEST_ENTRY(" 1 0", "*1 0", true, false), >+ TEST_ENTRY("1 0", "*1 0", false, false), > TEST_ENTRY("1\x00 x", "1*x", true, false), > TEST_ENTRY("1\x00 x", "*x", true, false), > TEST_ENTRY("1\x00 x", "*x*", true, false), >-- >2.25.1 > > >From f16f3aa52d4d2893abe79a3de0ac5a4221608691 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Tue, 8 Dec 2020 21:32:09 +1300 >Subject: [PATCH 2/2] CVE-2021-20277 ldb/attrib_handlers casefold: stay in > bounds > >For a string that had N spaces at the beginning, we would >try to move N bytes beyond the end of the string. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb/common/attrib_handlers.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c >index b5212b73159..c6ef5ad477b 100644 >--- a/lib/ldb/common/attrib_handlers.c >+++ b/lib/ldb/common/attrib_handlers.c >@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, > > /* remove leading spaces if any */ > if (*s == ' ') { >- for (t = s; *s == ' '; s++) ; >+ for (t = s; *s == ' '; s++, l--) ; > > /* remove leading spaces by moving down the string */ > memmove(t, s, l); >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 14655
:
16500
|
16501
|
16518
| 16525 |
16526
|
16527
|
16528
|
16529
|
16531