Package: samba / 2:4.5.16+dfsg-1+deb9u2

CVE-2018-16851-master.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
From 90c319ec77d27b7d9eeae9e5c7a41407f00caf23 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 5 Nov 2018 16:18:18 +1300
Subject: [PATCH] CVE-2018-16851 ldap_server: Check ret before manipulating
 blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/ldap_server/ldap_server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index b5251e3623e..bc2f54bc146 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
 		ret = data_blob_append(call, &blob, b.data, b.length);
 		data_blob_free(&b);
 
-		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
 		if (!ret) {
 			ldapsrv_terminate_connection(conn, "data_blob_append failed");
 			return;
 		}
 
+		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
 		DLIST_REMOVE(call->replies, call->replies);
 	}
 
-- 
2.11.0