From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 8 Apr 2020 03:30:52 +0000 (+1200)
Subject: CVE-2020-10704: lib util asn1: Check parse tree depth
X-Git-Tag: samba-4.10.15~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e7b910f68752514e405fbc0916c4e9e7dfb1bde;p=thirdparty%2Fsamba.git

CVE-2020-10704: lib util asn1: Check parse tree depth

Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index c6c2f3bbec2..def71585d38 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -640,6 +640,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
 	uint8_t b;
 	struct nesting *nesting;
 
+	/*
+	 * Check the depth of the parse tree and prevent it from growing
+	 * too large.
+	 */
+	data->depth++;
+	if (data->depth > data->max_depth) {
+		data->has_error = true;
+		return false;
+	}
+
 	if (!asn1_read_uint8(data, &b))
 		return false;
 
@@ -696,6 +706,9 @@ bool asn1_end_tag(struct asn1_data *data)
 {
 	struct nesting *nesting;
 
+	if (data->depth > 0) {
+		data->depth--;
+	}
 	/* make sure we read it all */
 	if (asn1_tag_remaining(data) != 0) {
 		data->has_error = true;
diff --git a/selftest/knownfail.d/ldap_message b/selftest/knownfail.d/ldap_message
deleted file mode 100644
index 242eff45e59..00000000000
--- a/selftest/knownfail.d/ldap_message
+++ /dev/null
@@ -1,2 +0,0 @@
-^libcli.ldap.ldap_message.test_recursion_depth_greater_than_max\(none\)
-^libcli.ldap.ldap_message.test_recursion_depth_large\(none\)