From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 5 May 2020 04:34:11 +0000 (+1200)
Subject: CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
X-Git-Tag: ldb-1.5.8~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80144c53d5546314f929b48f40c704f7cff083a8;p=thirdparty%2Fsamba.git

CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV

This is essentially an alternative patch, but without the correct
behaviour.  Instead this just avoids a segfault.

Included in case we have something simialr again in
another module.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
index d58a62482c9..720b5e95638 100644
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
@@ -442,10 +442,21 @@ static int vlv_results(struct vlv_context *ac)
 			ret = vlv_search_by_dn_guid(ac->module, ac, &result, guid,
 						    ac->req->op.search.attrs);
 
-			if (ret == LDAP_NO_SUCH_OBJECT) {
-				/* The thing isn't there, which we quietly
-				   ignore and go on to send an extra one
-				   instead. */
+			if (ret == LDAP_NO_SUCH_OBJECT
+			    || result->count != 1) {
+				/*
+				 * The thing isn't there, which we quietly
+				 * ignore and go on to send an extra one
+				 * instead.
+				 *
+				 * result->count == 0 or > 1 can only
+				 * happen if ASQ (which breaks all the
+				 * rules) is somehow invoked (as this
+				 * is a BASE search).
+				 *
+				 * (We skip the ASQ cookie for the
+				 * GUID searches)
+				 */
 				if (last_i < ac->store->num_entries - 1) {
 					last_i++;
 				}