Check the search request lengths against the limits passed to
ldap_decode.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
*packet_size = size;
return 0;
}
+
+/*
+ * Get the length of the ASN.1 data
+ */
+size_t asn1_get_length(const struct asn1_data *asn1) {
+ return asn1->length;
+}
DATA_BLOB *pblob);
void asn1_load_nocopy(struct asn1_data *data, uint8_t *buf, size_t len);
int asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size);
+size_t asn1_get_length(const struct asn1_data *asn1);
#endif /* _ASN_1_H */
struct ldap_SearchRequest *r = &msg->r.SearchRequest;
int sizelimit, timelimit;
const char **attrs = NULL;
+ size_t request_size = asn1_get_length(data);
msg->type = LDAP_TAG_SearchRequest;
+ if (request_size > limits->max_search_size) {
+ goto prot_err;
+ }
if (!asn1_start_tag(data, tag)) goto prot_err;
if (!asn1_read_OctetString_talloc(msg, data, &r->basedn)) goto prot_err;
if (!asn1_read_enumerated(data, (int *)(void *)&(r->scope))) goto prot_err;
projects / thirdparty / samba.git / commitdiff
