Bug 14656 - spaces incorrectly collapsed in ldb attributes
Summary: spaces incorrectly collapsed in ldb attributes
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: CVE-2021-20277
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-05 20:12 UTC by Douglas Bagnall
Modified: 2022-01-12 12:54 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2021-03-05 20:12:30 UTC
This is the bug described in comment 1 of bug 14655, which is not a security issue in itself, but cannot easily be fixed separately. I'm putting it here to track it. When bug 14655 is public, this one can be public.

See attachment 16501 [details]

ldb_handler_fold() makes mistakes when collapsing multiple internal spaces down to a single space. 

When trying to add a test asserting that "1    0" would match "*1 0" (because all those spaces shrink to one, and "*X" matches "X"), I found that instead "1    0" was being converted to "1 0  0": the internal spaces were shrunk, but the terminating '\0' was not added and the ldb_val length was not adjusted.


That's because here:

	/* check middle spaces */
	while ((t = strchr(s, ' ')) != NULL) {
		for (s = t; *s == ' '; s++) ;

		if ((s - t) > 1) {
			l = strlen(s);

			/* remove all spaces but one by moving down the string */
			memmove(t + 1, s, l);
		}
	}

let's label our four spaces a, b, c, d and assume a terminated string. We have the 7 bytes {'1', a, b, c, d, '0', '\0'}. 
The strchr() points t to space a.
The for loop walks s along the spaces until it hits '0'.  
`s - t` is 4, so we set l to strlen(s) which is 1. 
Then we memmove(b, s, 1). That copies the '0' to position b.
Next strchr hits the '\0' and we're done, leaving us with "1 0  0".

The proposed fix is to walk though the whole string simply and carefully in a single loop, stepping over extra spaces as we find them. This patch is written to go on top of attachment 16500 [details].
Comment 1 Douglas Bagnall 2021-03-24 23:05:28 UTC
https://gitlab.com/samba-team/samba/-/merge_requests/1865

Removing the embargo, which was blocked by CVE-2021-20277 (bug #14655).
Comment 2 Samba QA Contact 2021-04-07 03:17:11 UTC
This bug was referenced in samba master:

24ddc1ca9cad95673bdd8023d99867707b37085f
Comment 3 Douglas Bagnall 2021-04-14 02:34:30 UTC
Let's not backport. There is more pressing work, and people don't seem to hit often this in practice (presumably because they use a single space).
Comment 4 Samba QA Contact 2021-11-02 21:48:05 UTC
This bug was referenced in samba v4-14-test:

4548760ee8e85f089a39a83acc8e6fdb5863d023
Comment 5 Samba QA Contact 2021-11-02 22:55:12 UTC
This bug was referenced in samba v4-13-test:

0c32ab5f61af06061e6ba18dbe636f62da037f1f
Comment 6 Samba QA Contact 2021-11-09 18:23:03 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

0c32ab5f61af06061e6ba18dbe636f62da037f1f
Comment 7 Samba QA Contact 2021-11-09 18:24:03 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

4548760ee8e85f089a39a83acc8e6fdb5863d023
Comment 8 Samba QA Contact 2021-12-03 12:55:15 UTC
This bug was referenced in samba master:

f621317e3b25a8925ab6e448068264488a0a47c7
Comment 9 Samba QA Contact 2021-12-08 10:55:51 UTC
This bug was referenced in samba v4-15-test:

cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
Comment 10 Samba QA Contact 2021-12-08 14:37:02 UTC
This bug was referenced in samba v4-14-test:

ce1186e06ed2581a29af794eb66405a4efe26b71
Comment 11 Samba QA Contact 2021-12-08 14:40:04 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.3):

cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
Comment 12 Samba QA Contact 2021-12-08 16:55:23 UTC
This bug was referenced in samba v4-13-test:

dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Comment 13 Samba QA Contact 2021-12-15 14:25:55 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.15):

dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Comment 14 Samba QA Contact 2021-12-15 14:55:50 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.11):

ce1186e06ed2581a29af794eb66405a4efe26b71