Bug 11602 - LDB Integer overflow fix and ldb_parse tests
Summary: LDB Integer overflow fix and ldb_parse tests
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.3.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-11-15 23:52 UTC by Andrew Bartlett
Modified: 2016-07-29 02:41 UTC (History)
7 users (show)

See Also:

patch for master (72.06 KB, patch)
2015-11-15 23:56 UTC, Andrew Bartlett
no flags Details
patch for master (with better commit messages) (72.16 KB, patch)
2015-11-16 00:25 UTC, Andrew Bartlett
abartlet: review? (jra)
abartlet: review? (mat)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2015-11-15 23:52:24 UTC
The packed LDB data is vulnerable to integer overflow that can case read of memory from elsewhere in the calling process.

It is quite unusual for an LDB file to be passed around (this is not available as a network attack), and this memory read is not a write, but in case we decide to call this 'security', I've filed a bug. 

The lack of overflow protection was noticed by Jeremy Allison during code review, and confirmed as real-world during fuzzing with american fuzzy lop.

I have also added checks for overflow in the ldb_pack direction, I don't know if these could be exploited with a sufficiently large LDAP packet.
Comment 1 Andrew Bartlett 2015-11-15 23:56:45 UTC
Created attachment 11598 [details]
patch for master

Attached are the patches in question, both the tests (showing we didn't break the parser) and the overflow fixes.
Comment 2 Andrew Bartlett 2015-11-16 00:25:53 UTC
Created attachment 11600 [details]
patch for master (with better commit messages)

An improved set of commit messages to give correct credit on the overflow patch.
Comment 3 Andrew Bartlett 2015-11-23 22:08:51 UTC
Comment on attachment 11600 [details]
patch for master (with better commit messages)


Any chance of a Signed-off-by on patch 3/8 here?
Comment 9 Stefan Metzmacher 2016-01-22 10:05:03 UTC
(In reply to Andrew Bartlett from comment #3)

Andrew, what's the status of this bug?
Comment 10 Andrew Bartlett 2016-07-29 02:41:36 UTC
Fixed in 315049e083814d529af6973be263e296ed78ca75 in Samba 4.4