From d9faf142495e1211620779bbedbefe7726d1099b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 17 Feb 2022 11:11:53 +1300 Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit Currently, we can crash the server by sending a large number of values of a specific attribute (such as sAMAccountName) spread across a few message elements. If val_count is larger than the total number of elements, we get an access beyond the elements array. Similarly, we can include unrelated message elements prior to the message elements of the attribute in question, so that not all of the attribute's values are copied into the returned elements values array. This can cause the server to access uninitialised data, likely resulting in a crash or unexpected behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 4c67873643a..5d418efcd52 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1544,7 +1544,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, v = _el->values; - for (i = 0; i < val_count; i++) { + for (i = 0; i < msg->num_elements; i++) { if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { if ((operation == LDB_MODIFY) && (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) -- 2.35.0