From eeb594ce935190551d7d71812edef8ba506cd5d6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 27 Jun 2016 12:35:24 +1200
Subject: [PATCH] dsdb: Limit potential stack use when parsing extended DNs

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 source4/dsdb/common/util.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 0bbf4022523..448b20ae040 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3720,7 +3720,10 @@ NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const cha
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 	}
 
-	{
+	/* Just check we don't allow the caller to fill our stack */
+	if (v->length >= 64) {
+		return NT_STATUS_INVALID_PARAMETER;
+	} else {
 		char s[v->length+1];
 		memcpy(s, v->data, v->length);
 		s[v->length] = 0;
@@ -3750,7 +3753,10 @@ NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const cha
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 	}
 
-	{
+	/* Just check we don't allow the caller to fill our stack */
+	if (v->length >= 32) {
+		return NT_STATUS_INVALID_PARAMETER;
+	} else {
 		char s[v->length + 1];
 		memcpy(s, v->data, v->length);
 		s[v->length] = 0;
@@ -3790,13 +3796,13 @@ NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const
  */
 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
 {
-	const struct ldb_val *v;
-	char buf[32];
-	v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
-	if (!v || v->length > sizeof(buf)-1) return 0;
-	strncpy(buf, (const char *)v->data, v->length);
-	buf[v->length] = 0;
-	return strtoul(buf, NULL, 10);
+	uint32_t rmd_flags = 0;
+	NTSTATUS status = dsdb_get_extended_dn_uint32(dn, &rmd_flags,
+						      "RMD_FLAGS");
+	if (NT_STATUS_IS_OK(status)) {
+		return rmd_flags;
+	}
+	return 0;
 }
 
 /*
-- 
2.11.4.GIT