Bug 13900 - ldb: Avoid read beyond buffer
Summary: ldb: Avoid read beyond buffer
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-04-16 22:33 UTC by Douglas Bagnall
Modified: 2019-06-11 10:38 UTC (History)
5 users (show)

See Also:

a fix (with test!) (4.67 KB, patch)
2019-04-16 22:33 UTC, Douglas Bagnall
no flags Details
patch "ldb: Avoid read beyond buffer" (5.09 KB, patch)
2019-04-19 18:29 UTC, hansmi
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2019-04-16 22:33:51 UTC
Created attachment 15075 [details]
a fix (with test!)

From Michael Hanselmann:

Calling the "ldb_parse_tree" function with a filter consisting of
exactly a single space (" ") would trigger a read beyond the input
buffer. A unittest is included.
Comment 1 Andrew Bartlett 2019-04-17 09:42:50 UTC
Don't forget to add the test to the list of unit tests being run!
Comment 2 hansmi 2019-04-19 18:29:57 UTC
Created attachment 15087 [details]
patch "ldb: Avoid read beyond buffer"

Thank you for the reminder, Andrew.
Comment 3 Andrew Bartlett 2019-04-28 23:18:58 UTC
Thankfully Samba doesn't give the remote client access to this function directly, over LDAP the filter is encoded as ASN.1, not as a string. 

This would be more of a concern for things like a Python AD Web Services implementation (eg bug 11231) but this isn't production yet.  

Thankfully outside a tool like ADWS complete control of the LDB filter string makes no sense, so it is unlikely to be a real-world issue.

I've also checked SSSD, and while I can't track every call I both can't so far see any way a user can completely control the filter (rather than just some of the filter) and conceptually that level of control just doesn't make any sense anyway.
Comment 4 Andrew Bartlett 2019-04-29 05:15:43 UTC

Can you see any reason why this would need to be a CVE from the SSSD consumer point of view?

Comment 5 Andrew Bartlett 2019-05-10 00:52:28 UTC
Removing security embargo, I can't see how this has a security impact for known users.
Comment 6 Andrew Bartlett 2019-06-11 10:38:50 UTC
Fixed in master by 7f48fbcf7bad06a6df7812bb4fd3b0fca8edb4ea for Samba 4.11

Not backported at the moment as this is not an untrusted interface to the callers should just be careful.