Bug 14710 - Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)
Summary: Problem with AD membership in an AD with more the 100.000 group (possible reg...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.14
Hardware: All Linux
: P5 regression (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on: 14717
  Show dependency treegraph
Reported: 2021-05-19 05:54 UTC by maurer
Modified: 2022-06-14 06:28 UTC (History)
3 users (show)

See Also:

gdb trace (4.12 KB, text/plain)
2021-05-19 05:54 UTC, maurer
no flags Details
full gdb backtrace (4.12.3) (7.58 KB, text/plain)
2021-05-19 05:54 UTC, maurer
no flags Details
full_gdb_backtrace_with_patched_winbind.idl (8.07 KB, text/plain)
2021-05-20 06:37 UTC, maurer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2021-05-19 05:54:21 UTC
Created attachment 16614 [details]
gdb trace

I am  trying to run a wbinfo -g on an AD memberserver in an  AD with more the 100.000 groups and it shows no output

The samba logs shows
  list_groups XXX
[2021/05/17 14:21:49.826967,  1] ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
  ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535 NDR tokens stored for array_size at ../../librpc/ndr/ndr.c:1093

the wbinfo -g is still working with samba-4.10 on CentOS-7.
I am wondering it thhe following change


 * This value is arbitary, but designed to reduce the memory a client
 * can allocate and the work the client can force in processing a
 * malicious packet.
 * In an ideal world this would be controlled by range() restrictions
 * on array sizes and careful IDL construction to avoid arbitary
 * linked lists, but this is a backstop for now.

Increasing this value solves the problem
Comment 1 maurer 2021-05-19 05:54:49 UTC
Created attachment 16615 [details]
full gdb backtrace (4.12.3)
Comment 2 maurer 2021-05-20 06:37:19 UTC
Created attachment 16620 [details]
Comment 3 Andrew Bartlett 2021-05-21 22:27:20 UTC
Yes, this is a regression from the DoS mitigation efforts in 7a0ed44b0e65e742a778915d493e17f04c43b2ef
Comment 4 Samba QA Contact 2021-06-02 04:47:03 UTC
This bug was referenced in samba master:

Comment 5 Björn Jacke 2021-12-10 08:36:53 UTC
seems to be fixed, closing bug accordingly. Andrew, please cross-check!
Comment 6 Andrew Bartlett 2021-12-10 17:46:56 UTC
Yes, that should be fixed now.