39 lines
1.6 KiB
Diff
39 lines
1.6 KiB
Diff
From d9faf142495e1211620779bbedbefe7726d1099b Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Thu, 17 Feb 2022 11:11:53 +1300
|
|
Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop
|
|
count limit
|
|
|
|
Currently, we can crash the server by sending a large number of values
|
|
of a specific attribute (such as sAMAccountName) spread across a few
|
|
message elements. If val_count is larger than the total number of
|
|
elements, we get an access beyond the elements array.
|
|
|
|
Similarly, we can include unrelated message elements prior to the
|
|
message elements of the attribute in question, so that not all of the
|
|
attribute's values are copied into the returned elements values array.
|
|
This can cause the server to access uninitialised data, likely resulting
|
|
in a crash or unexpected behaviour.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
---
|
|
source4/dsdb/samdb/ldb_modules/util.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
|
|
index 4c67873643a..5d418efcd52 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/util.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/util.c
|
|
@@ -1544,7 +1544,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
|
|
|
|
v = _el->values;
|
|
|
|
- for (i = 0; i < val_count; i++) {
|
|
+ for (i = 0; i < msg->num_elements; i++) {
|
|
if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
|
|
if ((operation == LDB_MODIFY) &&
|
|
(LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
|
|
--
|
|
2.35.0
|