1 files changed, 44 insertions, 0 deletions

diff --git a/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
new file mode 100644
index 0000000000..a1166946d3
--- /dev/null
+++ b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
@@ -0,0 +1,44 @@
+From ac0b38fb285fad3165560a26afeeeaf23d850c1c Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Mon, 5 Nov 2018 16:18:18 +1300
+Subject: [PATCH] CVE-2018-16851 ldap_server: Check ret before manipulating
+ blob
+
+In the case of hitting the talloc ~256MB limit, this causes a crash in
+the server.
+
+Note that you would actually need to load >256MB of data into the LDAP.
+Although there is some generated/hidden data which would help you reach that
+limit (descriptors and RMD blobs).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/ldap_server/ldap_server.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
+index d9f24e0817c..e5e9688ed98 100644
+--- a/source4/ldap_server/ldap_server.c
++++ b/source4/ldap_server/ldap_server.c
+@@ -669,13 +669,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
+ 		ret = data_blob_append(call, &blob, b.data, b.length);
+ 		data_blob_free(&b);
+ 
+-		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+-
+ 		if (!ret) {
+ 			ldapsrv_terminate_connection(conn, "data_blob_append failed");
+ 			return;
+ 		}
+ 
++		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
++
+ 		DLIST_REMOVE(call->replies, call->replies);
+ 	}
+ 
+-- 
+2.18.1
+