From fb3e51020ab589cf76306b36548eda8a2de8f6ce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Mar 2020 16:43:31 +1300 Subject: [PATCH] CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results ASQ is a very strange control and a BASE search can return multiple results that are NOT the requested DN, but the DNs pointed to by it! Thanks to Andrei Popa for finding, reporting and working with us to diagnose this issue! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331 Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer --- selftest/knownfail.d/asq | 1 - source4/dsdb/samdb/ldb_modules/paged_results.c | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 6 deletions(-) delete mode 100644 selftest/knownfail.d/asq diff --git a/selftest/knownfail.d/asq b/selftest/knownfail.d/asq deleted file mode 100644 index eb0e3e0aba1..00000000000 --- a/selftest/knownfail.d/asq +++ /dev/null @@ -1 +0,0 @@ -samba4.asq.python\(ad_dc_default\).__main__.ASQLDAPTest.test_asq_paged \ No newline at end of file diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c index 940d2254fb0..dc211dd18ce 100644 --- a/source4/dsdb/samdb/ldb_modules/paged_results.c +++ b/source4/dsdb/samdb/ldb_modules/paged_results.c @@ -483,8 +483,14 @@ paged_results_copy_down_controls(TALLOC_CTX *mem_ctx, if (control->oid == NULL) { continue; } - if (strncmp(control->oid, LDB_CONTROL_PAGED_RESULTS_OID, - sizeof(LDB_CONTROL_PAGED_RESULTS_OID)) == 0) { + if (strcmp(control->oid, LDB_CONTROL_PAGED_RESULTS_OID) == 0) { + continue; + } + /* + * ASQ changes everything, do not copy it down for the + * per-GUID search + */ + if (strcmp(control->oid, LDB_CONTROL_ASQ_OID) == 0) { continue; } new_controls[j] = talloc_steal(new_controls, control); @@ -534,21 +540,23 @@ static bool paged_controls_same(struct ldb_request *req, num_non_null_req_controls = 0; for (i=0; req->controls[i] != NULL; i++) { - if (req->controls[i]->oid != NULL) { + if (req->controls[i]->oid != NULL && + strcmp(req->controls[i]->oid, + LDB_CONTROL_ASQ_OID) != 0) { num_non_null_req_controls++; } } /* At this point we have the number of non-null entries for both * control lists and we know that: - * 1. down_controls does not contain the paged control + * 1. down_controls does not contain the paged control or ASQ * (because paged_results_copy_down_controls excludes it) * 2. req->controls does contain the paged control * (because this function is only called if this is true) * 3. down_controls is a subset of non-null controls in req->controls * (checked above) * So to confirm that the two lists are identical except for the paged - * control, all we need to check is: */ + * control and possibly ASQ, all we need to check is: */ if (num_non_null_req_controls == num_down_controls + 1) { return true; } -- 2.11.4.GIT