samba/CVE-2018-16851.patch

From f33f52c366f7cf140f470de44579dcb7eb832629 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 5 Nov 2018 16:18:18 +1300
Subject: [PATCH 07/17] CVE-2018-16851 ldap_server: Check ret before
 manipulating blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/ldap_server/ldap_server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index b5251e3623e..bc2f54bc146 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
 		ret = data_blob_append(call, &blob, b.data, b.length);
 		data_blob_free(&b);
 
-		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
 		if (!ret) {
 			ldapsrv_terminate_connection(conn, "data_blob_append failed");
 			return;
 		}
 
+		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
 		DLIST_REMOVE(call->replies, call->replies);
 	}
 
-- 
2.17.1
Package init 2019-09-30 11:16:38 -04:00			`From f33f52c366f7cf140f470de44579dcb7eb832629 Mon Sep 17 00:00:00 2001`
			`From: Garming Sam <garming@catalyst.net.nz>`
			`Date: Mon, 5 Nov 2018 16:18:18 +1300`
			`Subject: [PATCH 07/17] CVE-2018-16851 ldap_server: Check ret before`
			`manipulating blob`

			`In the case of hitting the talloc ~256MB limit, this causes a crash in`
			`the server.`

			`Note that you would actually need to load >256MB of data into the LDAP.`
			`Although there is some generated/hidden data which would help you reach that`
			`limit (descriptors and RMD blobs).`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674`

			`Signed-off-by: Garming Sam <garming@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`---`
			`source4/ldap_server/ldap_server.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c`
			`index b5251e3623e..bc2f54bc146 100644`
			`--- a/source4/ldap_server/ldap_server.c`
			`+++ b/source4/ldap_server/ldap_server.c`
			`@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)`
			`ret = data_blob_append(call, &blob, b.data, b.length);`
			`data_blob_free(&b);`

			`- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");`
			`-`
			`if (!ret) {`
			`ldapsrv_terminate_connection(conn, "data_blob_append failed");`
			`return;`
			`}`

			`+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");`
			`+`
			`DLIST_REMOVE(call->replies, call->replies);`
			`}`

			`--`
			`2.17.1`