The Samba-Bugzilla – Attachment 17430 Details for
Bug 14694
CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to only avoid modify of filter in anr (for 4.12)
4.12-do-not-modify-caller-filter.patch (text/plain), 3.74 KB, created by
Andrew Bartlett
on 2022-07-19 22:26:16 UTC
(
hide
)
Description:
Patch to only avoid modify of filter in anr (for 4.12)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2022-07-19 22:26:16 UTC
Size:
3.74 KB
patch
obsolete
>From fa907c76edc24e5f1086f30e5241a64754ddb999 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 18 Nov 2021 15:57:34 +1300 >Subject: [PATCH] CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr > query before starting to modify it > >RN: Do not modify the caller-supplied memory in the anr=* handling to >allow clear logging of the actual caller request after it has been processed. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b) >--- > source4/dsdb/samdb/ldb_modules/anr.c | 73 +++++++++++++++++++++++++--- > 1 file changed, 65 insertions(+), 8 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/anr.c b/source4/dsdb/samdb/ldb_modules/anr.c >index ec9d82512c8..28e26b8aa8b 100644 >--- a/source4/dsdb/samdb/ldb_modules/anr.c >+++ b/source4/dsdb/samdb/ldb_modules/anr.c >@@ -146,8 +146,6 @@ static int anr_replace_value(struct anr_context *ac, > return LDB_ERR_OPERATIONS_ERROR; > } > >- ac->found_anr = true; >- > if (match->length > 1 && match->data[0] == '=') { > struct ldb_val *match2 = talloc(mem_ctx, struct ldb_val); > if (match2 == NULL){ >@@ -283,6 +281,49 @@ static int anr_replace_subtrees(struct anr_context *ac, > return LDB_SUCCESS; > } > >+struct anr_present_ctx { >+ bool found_anr; >+ const char *attr; >+}; >+ >+/* >+ callback to determine if ANR is in use at all >+ */ >+static int parse_tree_anr_present(struct ldb_parse_tree *tree, void *private_context) >+{ >+ struct anr_present_ctx *ctx = private_context; >+ switch (tree->operation) { >+ case LDB_OP_EQUALITY: >+ case LDB_OP_GREATER: >+ case LDB_OP_LESS: >+ case LDB_OP_APPROX: >+ if (ldb_attr_cmp(tree->u.equality.attr, ctx->attr) == 0) { >+ ctx->found_anr = true; >+ } >+ break; >+ case LDB_OP_SUBSTRING: >+ if (ldb_attr_cmp(tree->u.substring.attr, ctx->attr) == 0) { >+ ctx->found_anr = true; >+ } >+ break; >+ case LDB_OP_PRESENT: >+ if (ldb_attr_cmp(tree->u.present.attr, ctx->attr) == 0) { >+ ctx->found_anr = true; >+ } >+ break; >+ case LDB_OP_EXTENDED: >+ if (tree->u.extended.attr && >+ ldb_attr_cmp(tree->u.extended.attr, ctx->attr) == 0) { >+ ctx->found_anr = true; >+ } >+ break; >+ default: >+ break; >+ } >+ return LDB_SUCCESS; >+} >+ >+ > static int anr_search_callback(struct ldb_request *req, struct ldb_reply *ares) > { > struct anr_context *ac; >@@ -320,8 +361,21 @@ static int anr_search(struct ldb_module *module, struct ldb_request *req) > struct ldb_parse_tree *anr_tree; > struct ldb_request *down_req; > struct anr_context *ac; >+ struct anr_present_ctx ctx; >+ const char *attr = "anr"; > int ret; > >+ ctx.found_anr = false; >+ ctx.attr = attr; >+ >+ ldb_parse_tree_walk(req->op.search.tree, >+ parse_tree_anr_present, >+ &ctx); >+ >+ if (!ctx.found_anr) { >+ return ldb_next_request(module, req); >+ } >+ > ldb = ldb_module_get_ctx(module); > > ac = talloc(req, struct anr_context); >@@ -331,20 +385,23 @@ static int anr_search(struct ldb_module *module, struct ldb_request *req) > > ac->module = module; > ac->req = req; >- ac->found_anr = false; > > #if 0 > printf("oldanr : %s\n", ldb_filter_from_tree (0, req->op.search.tree)); > #endif > >- ret = anr_replace_subtrees(ac, req->op.search.tree, "anr", &anr_tree); >- if (ret != LDB_SUCCESS) { >+ /* First make a copy, so we don't overwrite caller memory */ >+ >+ anr_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree); >+ >+ if (anr_tree == NULL) { > return ldb_operr(ldb); > } > >- if (!ac->found_anr) { >- talloc_free(ac); >- return ldb_next_request(module, req); >+ /* Now expand 'anr' out */ >+ ret = anr_replace_subtrees(ac, anr_tree, attr, &anr_tree); >+ if (ret != LDB_SUCCESS) { >+ return ldb_operr(ldb); > } > > ret = ldb_build_search_req_ex(&down_req, >-- >GitLab >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14694
:
17032
|
17034
|
17038
| 17430