Created attachment 15075 [details]
a fix (with test!)
From Michael Hanselmann:
Calling the "ldb_parse_tree" function with a filter consisting of
exactly a single space (" ") would trigger a read beyond the input
buffer. A unittest is included.
Don't forget to add the test to the list of unit tests being run!
Created attachment 15087 [details]
patch "ldb: Avoid read beyond buffer"
Thank you for the reminder, Andrew.
Thankfully Samba doesn't give the remote client access to this function directly, over LDAP the filter is encoded as ASN.1, not as a string.
This would be more of a concern for things like a Python AD Web Services implementation (eg bug 11231) but this isn't production yet.
Thankfully outside a tool like ADWS complete control of the LDB filter string makes no sense, so it is unlikely to be a real-world issue.
I've also checked SSSD, and while I can't track every call I both can't so far see any way a user can completely control the filter (rather than just some of the filter) and conceptually that level of control just doesn't make any sense anyway.
Can you see any reason why this would need to be a CVE from the SSSD consumer point of view?
Removing security embargo, I can't see how this has a security impact for known users.
Fixed in master by 7f48fbcf7bad06a6df7812bb4fd3b0fca8edb4ea for Samba 4.11
Not backported at the moment as this is not an untrusted interface to the callers should just be careful.