CVE-2020-10704: smb.conf: Add max ldap request sizes

Add two new smb.conf parameters to control the maximum permitted ldap
request size.

Adds:
   ldap max anonymous request size       default 250Kb
   ldap max authenticated request size   default 16Mb

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644 (file)
index 0000000..61bdcec
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+               This parameter specifies the maximum permitted size (in bytes)
+               for an LDAP request received on an anonymous connection.
+       </para>
+
+       <para>
+               If the request size exceeds this limit the request will be
+               rejected.
+       </para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644 (file)
index 0000000..c5934f7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+               This parameter specifies the maximum permitted size (in bytes)
+               for an LDAP request received on an authenticated connection.
+       </para>
+
+       <para>
+               If the request size exceeds this limit the request will be
+               rejected.
+       </para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e4d27cae8ea4ef817f6c3d50f7b368af773abbab..a63e665f9852abbcbeae2a983dcfbc114e5a75bd 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3008,6 +3008,11 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "store dos attributes", "yes");
 
+       lpcfg_do_global_parameter(
+               lp_ctx, "ldap max anonymous request size", "256000");
+       lpcfg_do_global_parameter(
+               lp_ctx, "ldap max authenticated request size", "16777216");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 12f32192bfe94814ffed873c3d9135917ab89ce7..b324e58cb4e54d0271da2686c9674026fa0065b8 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -959,6 +959,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.prefork_backoff_increment = 10;
        Globals.prefork_maximum_backoff = 120;
 
+       Globals.ldap_max_anonymous_request_size = 256000;
+       Globals.ldap_max_authenticated_request_size = 16777216;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }