oLschema2ldif fail to import SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 (PostalAddress) Backtrace give us: #0 0x00007ffff6a5653d in __strcasecmp_l_ssse3 () from /lib64/libc.so.6 #1 0x00007ffff710eecd in find_syntax_map_by_standard_oid (standard_oid=0x647890 "1.3.6.1.4.1.1466.115.121.1.41") at ../source4/dsdb/schema/schema_syntax.c:2656 #2 0x0000000000403244 in process_entry (mem_ctx=0x60e9b0, entry=0x6464e0 "attributetype ( 1.3.6.1.4.1.7200.2.3.6 NAME 'LikePostalAddress' DESC 'TEST'\tSYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )") at ../source4/utils/oLschema2ldif.c:475 #3 0x00000000004034e7 in process_file (in=0x60f170, out=0x60fef0) at ../source4/utils/oLschema2ldif.c:551 #4 0x00000000004039be in main (argc=7, argv=0x7fffffffe5a8) at ../source4/utils/oLschema2ldif.c:683
Why don't check this block the long of dsdb_syntaxes array? --- for (i=0; dsdb_syntaxes[i].ldap_oid; i++) { dsdb_syntaxes[i].ldap_oid)); if (strcasecmp(standard_oid, dsdb_syntaxes[i].ldap_oid) == 0) { return &dsdb_syntaxes[i]; } } ---
Also can't import 1.3.6.1.4.1.1466.115.121.1.22 -> AD-Syntaxes.txt:Facsimile Telephone Number 1.3.6.1.4.1.1466.115.121.1.22
Michael Hanselmann has provided a fix for this and related issues. I'm marking this bug as embargoed for a day to allow anyone to come up with a plausible way this could be exploited, but as I understand it we have not issued a CVE for crashes in TDB from malformed DB files, for example. Folks are generally trying to convert well-known schema, not random files found online without any inspection.
Created attachment 15013 [details] patch from hansmi I'll update the patch to have the right BUG: markings and review tags before pushing.
Comment on attachment 15013 [details] patch from hansmi We loop over dsdb_syntaxes in two different ways: for (i=0; i < ARRAY_SIZE(dsdb_syntaxes); i++) { and for (i=0; dsdb_syntaxes[i].ldap_oid; i++) { Wouldn't that patch fix the 2nd one, but break the first one?
(In reply to Stefan Metzmacher from comment #5) As all elements have ldap_oid != NULL we could just always use for (i=0; i < ARRAY_SIZE(dsdb_syntaxes); i++) { as a fix. This should be its own commit, separate of the test changes. If it works the test could be the fist commit with a selftest/knownfail.d/ entry, which will be removed in the 2nd commit.
(In reply to Stefan Metzmacher from comment #6) Thanks, I've made that alternate fix. I've submitted a public merge request for this here: https://gitlab.com/samba-team/samba/merge_requests/353 I would normally agree on splitting up the patch however, the test loops on the old code (so preventing a knownfail) and given the marginal importance of this whole area I can't justify fixing it up.
Fixed in master by 29d7c80ee4d78e1dbdd506770a9cb7b34afa0ed0 for Samba 4.11