CVE-2020-10704: smb.conf: Add max ldap request sizes

Add two new smb.conf parameters to control the maximum permitted ldap
request size.

Adds:
   ldap max anonymous request size       default 250Kb
   ldap max authenticated request size   default 16Mb

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644 (file)
index 0000000..61bdcec
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+               This parameter specifies the maximum permitted size (in bytes)
+               for an LDAP request received on an anonymous connection.
+       </para>
+
+       <para>
+               If the request size exceeds this limit the request will be
+               rejected.
+       </para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644 (file)
index 0000000..c5934f7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+               This parameter specifies the maximum permitted size (in bytes)
+               for an LDAP request received on an authenticated connection.
+       </para>
+
+       <para>
+               If the request size exceeds this limit the request will be
+               rejected.
+       </para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 883d4167bf49c1ba0351bfd2e703613073b59d83..8e3521c918e34bd1a96259a984e4a7cc0488f71f 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3025,6 +3025,11 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "debug encryption", "no");
 
+       lpcfg_do_global_parameter(
+               lp_ctx, "ldap max anonymous request size", "256000");
+       lpcfg_do_global_parameter(
+               lp_ctx, "ldap max authenticated request size", "16777216");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a8d5fdc5954d37d59b7a7023f7f74517c1f6ef85..dc1ad7aeafb6afc25d843dc33e60c824bbfdf51b 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -956,6 +956,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.prefork_backoff_increment = 10;
        Globals.prefork_maximum_backoff = 120;
 
+       Globals.ldap_max_anonymous_request_size = 256000;
+       Globals.ldap_max_authenticated_request_size = 16777216;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }