aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2018-05-21 15:20:26 +1200
committerKarolin Seeger <kseeger@samba.org>2018-08-11 08:16:04 +0200
commita36db4fceb3235047f190f6d23841394b17aafec (patch)
tree5f1db954bc67128427b535d64c896c3a76c273eb /lib
parent7331723918018a40904ab7339b051e7ebb136a6e (diff)
downloadsamba-a36db4fceb3235047f190f6d23841394b17aafec.tar.gz
samba-a36db4fceb3235047f190f6d23841394b17aafec.tar.xz
samba-a36db4fceb3235047f190f6d23841394b17aafec.zip
CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later call to ldb_dn_get_casefold() can fail if the input is not valid. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
Diffstat (limited to 'lib')
-rw-r--r--lib/ldb/ldb_tdb/ldb_index.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index 682469396ce..429c8f5aa24 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+ bool valid_dn = false;
struct ldb_dn *dn
= ldb_dn_from_ldb_val(list,
ldb_module_get_ctx(module),
@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
+ valid_dn = ldb_dn_validate(dn);
+ if (valid_dn == false) {
+ /* If we can't parse it, no match */
+ list->dn = NULL;
+ list->count = 0;
+ return LDB_SUCCESS;
+ }
+
/*
* Re-use the same code we use for a SCOPE_BASE
* search