Bug 14952 - segfault in paged_results() due to LDB_ERR_TIME_LIMIT_EXCEEDED
Summary: segfault in paged_results() due to LDB_ERR_TIME_LIMIT_EXCEEDED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Depends on:
Reported: 2022-01-19 15:33 UTC by Stefan Metzmacher
Modified: 2022-04-04 12:49 UTC (History)
4 users (show)

See Also:

Patches for v4-15-test (7.74 KB, patch)
2022-01-24 16:55 UTC, Stefan Metzmacher
dbagnall: review+
Patches for v4-14-test (7.74 KB, patch)
2022-01-24 16:56 UTC, Stefan Metzmacher
dbagnall: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-01-19 15:33:59 UTC
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
Comment 1 Samba QA Contact 2022-01-20 10:05:06 UTC
This bug was referenced in samba master:

Comment 2 Stefan Metzmacher 2022-01-24 16:55:44 UTC
Created attachment 17126 [details]
Patches for v4-15-test
Comment 3 Stefan Metzmacher 2022-01-24 16:56:13 UTC
Created attachment 17127 [details]
Patches for v4-14-test
Comment 4 Jule Anger 2022-01-26 09:56:16 UTC
Pushed to autobuild-v4-{15,14}-test.
Comment 5 Samba QA Contact 2022-01-26 11:25:13 UTC
This bug was referenced in samba v4-14-test:

Comment 6 Samba QA Contact 2022-01-26 11:55:13 UTC
This bug was referenced in samba v4-15-test:

Comment 7 Jule Anger 2022-01-26 12:11:34 UTC
Closing out bug report.

Comment 8 Andrew Bartlett 2022-02-11 09:42:05 UTC
I presume this isn't as relevant for 4.13 and older versions because while any search and fail, they don't have the likely trigger in the timeout case because these patches were not backported:

commit 3e8d6e681f8dbe79e4595549f78c42649b3573a2
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Thu Nov 18 16:09:47 2021 +1300

    CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts

    (cherry picked from commit 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393)

commit 3a4eb50cf74671de3442d179bd2d44afd5bc52c1
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Thu Nov 18 15:57:34 2021 +1300

    CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
    (cherry picked from commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b)


commit 08c9016cb9f25105c39488770113a1b00f8a4223
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Mon Sep 27 16:47:46 2021 +1300

    CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
    (cherry picked from commit 1d5b155619bc532c46932965b215bd73a920e56f)
Comment 9 Samba QA Contact 2022-03-15 13:22:21 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

Comment 10 Samba QA Contact 2022-04-04 12:49:45 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.13):