97 lines
3.5 KiB
Diff
97 lines
3.5 KiB
Diff
From 595dd9fc4162dd70ad937db8669a0fddbbba9584 Mon Sep 17 00:00:00 2001
|
|
From: Volker Lendecke <vl@samba.org>
|
|
Date: Thu, 9 Jul 2020 21:49:25 +0200
|
|
Subject: [PATCH] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
|
|
|
|
A lookupsids request without extra_data will lead to "state->domain==NULL",
|
|
which makes winbindd_lookupsids_recv trying to dereference it.
|
|
|
|
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
|
|
---
|
|
source3/winbindd/winbindd_lookupsids.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c
|
|
index d28b5fa9f01..a289fd86f0f 100644
|
|
--- a/source3/winbindd/winbindd_lookupsids.c
|
|
+++ b/source3/winbindd/winbindd_lookupsids.c
|
|
@@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
|
|
DEBUG(3, ("lookupsids\n"));
|
|
|
|
if (request->extra_len == 0) {
|
|
- tevent_req_done(req);
|
|
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
|
return tevent_req_post(req, ev);
|
|
}
|
|
if (request->extra_data.data[request->extra_len-1] != '\0') {
|
|
--
|
|
2.29.2
|
|
|
|
From 0b259a48a70bde4dfd482e0720e593ae5a9c414a Mon Sep 17 00:00:00 2001
|
|
From: Volker Lendecke <vl@samba.org>
|
|
Date: Thu, 9 Jul 2020 21:48:57 +0200
|
|
Subject: [PATCH] CVE-2020-14323 torture4: Add a simple test for invalid
|
|
lookup_sids winbind call
|
|
|
|
We can't add this test before the fix, add it to knownfail and have the fix
|
|
remove the knownfail entry again. As this crashes winbind, many tests after
|
|
this one will fail.
|
|
|
|
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
|
|
---
|
|
source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++
|
|
1 file changed, 27 insertions(+)
|
|
|
|
diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
|
|
index 9745b621ca9..71f248c0d61 100644
|
|
--- a/source4/torture/winbind/struct_based.c
|
|
+++ b/source4/torture/winbind/struct_based.c
|
|
@@ -1110,6 +1110,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu
|
|
return true;
|
|
}
|
|
|
|
+static bool torture_winbind_struct_lookup_sids_invalid(
|
|
+ struct torture_context *torture)
|
|
+{
|
|
+ struct winbindd_request req = {0};
|
|
+ struct winbindd_response rep = {0};
|
|
+ bool strict = torture_setting_bool(torture, "strict mode", false);
|
|
+ bool ok;
|
|
+
|
|
+ torture_comment(torture,
|
|
+ "Running WINBINDD_LOOKUP_SIDS (struct based)\n");
|
|
+
|
|
+ ok = true;
|
|
+ DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep,
|
|
+ NSS_STATUS_NOTFOUND,
|
|
+ strict,
|
|
+ ok=false,
|
|
+ talloc_asprintf(
|
|
+ torture,
|
|
+ "invalid lookupsids succeeded"));
|
|
+
|
|
+ return ok;
|
|
+}
|
|
+
|
|
struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(ctx, "struct");
|
|
@@ -1132,6 +1155,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
|
|
torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent);
|
|
torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent);
|
|
torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid);
|
|
+ torture_suite_add_simple_test(
|
|
+ suite,
|
|
+ "lookup_sids_invalid",
|
|
+ torture_winbind_struct_lookup_sids_invalid);
|
|
|
|
suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
|
|
|
|
--
|
|
2.29.2
|