The packed LDB data is vulnerable to integer overflow that can case read of memory from elsewhere in the calling process. It is quite unusual for an LDB file to be passed around (this is not available as a network attack), and this memory read is not a write, but in case we decide to call this 'security', I've filed a bug. The lack of overflow protection was noticed by Jeremy Allison during code review, and confirmed as real-world during fuzzing with american fuzzy lop. I have also added checks for overflow in the ldb_pack direction, I don't know if these could be exploited with a sufficiently large LDAP packet.
Created attachment 11598 [details] patch for master Attached are the patches in question, both the tests (showing we didn't break the parser) and the overflow fixes.
Created attachment 11600 [details] patch for master (with better commit messages) An improved set of commit messages to give correct credit on the overflow patch.
Comment on attachment 11600 [details] patch for master (with better commit messages) Matthieu, Any chance of a Signed-off-by on patch 3/8 here?
(In reply to Andrew Bartlett from comment #3) Andrew, what's the status of this bug?
Fixed in 315049e083814d529af6973be263e296ed78ca75 in Samba 4.4