CVE-2020-10700: ldb: Always use ldb_next_request() in ASQ module

We want to keep going down the module stack, and not start from the top again.

ASQ is above the ACL modules, but below paged_results and we do not wish to
re-trigger that work.

Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/lib/ldb/modules/asq.c b/lib/ldb/modules/asq.c
index 7482de826f0cf088d17d3e63ce30f6b1818e479e..4eba941ae0b47d63c2f405a568fc714f7ff41aa6 100644 (file)
--- a/lib/ldb/modules/asq.c
+++ b/lib/ldb/modules/asq.c
@@ -311,12 +311,9 @@ static int asq_build_multiple_requests(struct asq_context *ac, bool *terminated)
 
 static int asq_search_continue(struct asq_context *ac)
 {
-       struct ldb_context *ldb;
        bool terminated = false;
        int ret;
 
-       ldb = ldb_module_get_ctx(ac->module);
-
        switch (ac->step) {
        case ASQ_SEARCH_BASE:
 
@@ -328,7 +325,7 @@ static int asq_search_continue(struct asq_context *ac)
 
                ac->step = ASQ_SEARCH_MULTI;
 
-               return ldb_request(ldb, ac->reqs[ac->cur_req]);
+               return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
 
        case ASQ_SEARCH_MULTI:
 
@@ -339,7 +336,7 @@ static int asq_search_continue(struct asq_context *ac)
                        return asq_search_terminate(ac);
                }
 
-               return ldb_request(ldb, ac->reqs[ac->cur_req]);
+               return ldb_next_request(ac->module, ac->reqs[ac->cur_req]);
        }
 
        return LDB_ERR_OPERATIONS_ERROR;
@@ -347,14 +344,11 @@ static int asq_search_continue(struct asq_context *ac)
 
 static int asq_search(struct ldb_module *module, struct ldb_request *req)
 {
-       struct ldb_context *ldb;
        struct ldb_request *base_req;
        struct ldb_control *control;
        struct asq_context *ac;
        int ret;
 
-       ldb = ldb_module_get_ctx(module);
-
        /* check if there's an ASQ control */
        control = ldb_request_get_control(req, LDB_CONTROL_ASQ_OID);
        if (control == NULL) {
@@ -385,7 +379,7 @@ static int asq_search(struct ldb_module *module, struct ldb_request *req)
 
        ac->step = ASQ_SEARCH_BASE;
 
-       return ldb_request(ldb, base_req);
+       return ldb_next_request(ac->module, base_req);
 }
 
 static int asq_init(struct ldb_module *module)