It can happen that the paged_results() failes, e.g. due to LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not dereference ares->response, if ares is NULL. We also should not call ldb_module_done() if paged_results() fails, as it was already called.
This bug was referenced in samba master: 19fa22b1fbcf33dbc4defe4dd2e487a642786c49 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc
Created attachment 17126 [details] Patches for v4-15-test
Created attachment 17127 [details] Patches for v4-14-test
Pushed to autobuild-v4-{15,14}-test.
This bug was referenced in samba v4-14-test: 271d3f7b4a82f75e2e75b9c5ba62c1aa9944f570 cefad52c90be03ef2ca95f1cc2c9ddfec19e85c8
This bug was referenced in samba v4-15-test: b958358516605918e32a21ba98e6d85a1d59acbb 911675da55999c4b2c82fe658c92518d23f7ced7
Closing out bug report. Thanks!
I presume this isn't as relevant for 4.13 and older versions because while any search and fail, they don't have the likely trigger in the timeout case because these patches were not backported: commit 3e8d6e681f8dbe79e4595549f78c42649b3573a2 Author: Andrew Bartlett <abartlet@samba.org> Date: Thu Nov 18 16:09:47 2021 +1300 CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts .. (cherry picked from commit 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393) commit 3a4eb50cf74671de3442d179bd2d44afd5bc52c1 Author: Andrew Bartlett <abartlet@samba.org> Date: Thu Nov 18 15:57:34 2021 +1300 CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it (cherry picked from commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b) and commit 08c9016cb9f25105c39488770113a1b00f8a4223 Author: Andrew Bartlett <abartlet@samba.org> Date: Mon Sep 27 16:47:46 2021 +1300 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing (cherry picked from commit 1d5b155619bc532c46932965b215bd73a920e56f)
This bug was referenced in samba v4-15-stable (Release samba-4.15.6): b958358516605918e32a21ba98e6d85a1d59acbb 911675da55999c4b2c82fe658c92518d23f7ced7
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 271d3f7b4a82f75e2e75b9c5ba62c1aa9944f570 cefad52c90be03ef2ca95f1cc2c9ddfec19e85c8