diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-02-17 11:11:53 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:41:53 +0200 |
commit | 7c8427e5d2f247921ab44996829acfed1f5f2360 (patch) | |
tree | 653bb769d0de6de240a561a933057d158c70504c | |
parent | 6237c85565332e0be1890dd57cc7e25fb76571d7 (diff) | |
download | samba-7c8427e5d2f247921ab44996829acfed1f5f2360.tar.gz |
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.
Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 405febf0b3d..14947746837 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1546,7 +1546,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, v = _el->values; - for (i = 0; i < val_count; i++) { + for (i = 0; i < msg->num_elements; i++) { if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { if ((operation == LDB_MODIFY) && (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) |