The Samba-Bugzilla – Attachment 17204 Details for
Bug 15008
CVE-2022-32745 [SECURITY] Collecting attribute values for LDB add/modify can result in out-of-bounds access
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
bug_15008.patch (text/plain), 4.12 KB, created by
Jennifer Sutton
on 2022-03-11 01:40:34 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Jennifer Sutton
Created:
2022-03-11 01:40:34 UTC
Size:
4.12 KB
patch
obsolete
>From 32230e2e4d543e75e73da794cdaf58f83b6f45c3 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 16 Feb 2022 17:03:10 +1300 >Subject: [PATCH 1/3] s4/dsdb/samldb: Check for empty values array > >This avoids potentially trying to access the first element of an empty >array. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c >index 24971d521aa..116c3ec1f00 100644 >--- a/source4/dsdb/samdb/ldb_modules/samldb.c >+++ b/source4/dsdb/samdb/ldb_modules/samldb.c >@@ -751,7 +751,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) > return ret; > } > >- if (el == NULL) { >+ if (el == NULL || el->num_values == 0) { > return LDB_SUCCESS; > } > >@@ -919,7 +919,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac) > return ret; > } > >- if (el == NULL) { >+ if (el == NULL || el->num_values == 0) { > return LDB_SUCCESS; > } > >-- >2.35.0 > > >From 6cd3312f866cf788087c5198106357e1674b3a6f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 17 Feb 2022 11:11:53 +1300 >Subject: [PATCH 2/3] s4/dsdb/util: Use correct value for loop count limit > >Currently, we can crash the server by sending a large number of values >of a specific attribute (such as sAMAccountName) spread across a few >message elements. If val_count is larger than the total number of >elements, we get an access beyond the elements array. > >Similarly, we can include unrelated message elements prior to the >message elements of the attribute in question, so that not all of the >attribute's values are copied into the returned elements values array. >This can cause the server to access uninitialised data, likely resulting >in a crash or unexpected behaviour. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/samdb/ldb_modules/util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c >index 405febf0b3d..14947746837 100644 >--- a/source4/dsdb/samdb/ldb_modules/util.c >+++ b/source4/dsdb/samdb/ldb_modules/util.c >@@ -1546,7 +1546,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, > > v = _el->values; > >- for (i = 0; i < val_count; i++) { >+ for (i = 0; i < msg->num_elements; i++) { > if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { > if ((operation == LDB_MODIFY) && > (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) >-- >2.35.0 > > >From 0db9d02ee50a64653147d2d553ec787c354486d0 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 17 Feb 2022 11:13:38 +1300 >Subject: [PATCH 3/3] s4/dsdb/util: Don't call memcpy() with a NULL pointer > >Doing so is undefined behaviour. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c >index 14947746837..35ae110b5ef 100644 >--- a/source4/dsdb/samdb/ldb_modules/util.c >+++ b/source4/dsdb/samdb/ldb_modules/util.c >@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, > > for (i = 0; i < msg->num_elements; i++) { > if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { >+ const struct ldb_message_element *tmp_el = &msg->elements[i]; > if ((operation == LDB_MODIFY) && >- (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) >+ (LDB_FLAG_MOD_TYPE(tmp_el->flags) > == LDB_FLAG_MOD_DELETE)) { > continue; > } >+ if (tmp_el->values == NULL || tmp_el->num_values == 0) { >+ continue; >+ } > memcpy(v, >- msg->elements[i].values, >- msg->elements[i].num_values); >- v += msg->elements[i].num_values; >+ tmp_el->values, >+ tmp_el->num_values); >+ v += tmp_el->num_values; > } > } > >-- >2.35.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15008
:
17203
|
17204
|
17317
|
17340
|
17341
|
17343
|
17379