Bug 14952 - segfault in paged_results() due to LDB_ERR_TIME_LIMIT_EXCEEDED
Summary: segfault in paged_results() due to LDB_ERR_TIME_LIMIT_EXCEEDED
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-19 15:33 UTC by Stefan Metzmacher
Modified: 2022-04-04 12:49 UTC (History)
4 users (show)

See Also:


Attachments
Patches for v4-15-test (7.74 KB, patch)
2022-01-24 16:55 UTC, Stefan Metzmacher
dbagnall: review+
Details
Patches for v4-14-test (7.74 KB, patch)
2022-01-24 16:56 UTC, Stefan Metzmacher
dbagnall: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-01-19 15:33:59 UTC
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
Comment 1 Samba QA Contact 2022-01-20 10:05:06 UTC
This bug was referenced in samba master:

19fa22b1fbcf33dbc4defe4dd2e487a642786c49
7d16a56b9d1cde8a5174381ef4924a2ea7be59bc
Comment 2 Stefan Metzmacher 2022-01-24 16:55:44 UTC
Created attachment 17126 [details]
Patches for v4-15-test
Comment 3 Stefan Metzmacher 2022-01-24 16:56:13 UTC
Created attachment 17127 [details]
Patches for v4-14-test
Comment 4 Jule Anger 2022-01-26 09:56:16 UTC
Pushed to autobuild-v4-{15,14}-test.
Comment 5 Samba QA Contact 2022-01-26 11:25:13 UTC
This bug was referenced in samba v4-14-test:

271d3f7b4a82f75e2e75b9c5ba62c1aa9944f570
cefad52c90be03ef2ca95f1cc2c9ddfec19e85c8
Comment 6 Samba QA Contact 2022-01-26 11:55:13 UTC
This bug was referenced in samba v4-15-test:

b958358516605918e32a21ba98e6d85a1d59acbb
911675da55999c4b2c82fe658c92518d23f7ced7
Comment 7 Jule Anger 2022-01-26 12:11:34 UTC
Closing out bug report.

Thanks!
Comment 8 Andrew Bartlett 2022-02-11 09:42:05 UTC
I presume this isn't as relevant for 4.13 and older versions because while any search and fail, they don't have the likely trigger in the timeout case because these patches were not backported:

commit 3e8d6e681f8dbe79e4595549f78c42649b3573a2
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Thu Nov 18 16:09:47 2021 +1300

    CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
    
..

    (cherry picked from commit 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393)

commit 3a4eb50cf74671de3442d179bd2d44afd5bc52c1
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Thu Nov 18 15:57:34 2021 +1300

    CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
    
    (cherry picked from commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b)

and

commit 08c9016cb9f25105c39488770113a1b00f8a4223
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Mon Sep 27 16:47:46 2021 +1300

    CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
    
    (cherry picked from commit 1d5b155619bc532c46932965b215bd73a920e56f)
Comment 9 Samba QA Contact 2022-03-15 13:22:21 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

b958358516605918e32a21ba98e6d85a1d59acbb
911675da55999c4b2c82fe658c92518d23f7ced7
Comment 10 Samba QA Contact 2022-04-04 12:49:45 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.13):

271d3f7b4a82f75e2e75b9c5ba62c1aa9944f570
cefad52c90be03ef2ca95f1cc2c9ddfec19e85c8