As per upstream advisory:
Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control.
Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client requests if more than 10 such requests are outstanding.
A rewrite of the module for more efficient memory handling in Samba 4.11 changed the module behaviour, and combined with the above to introduce the use-after-free. The use-after-free occurs when the 'Paged Results' control is combined with the 'ASQ' control, another Active Directory LDAP feature.
Name: the Samba project
Upstream: Andrei Popa
As per upstream, the crash is hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ. Malicious users without write access will need to find a suitable chain within the existing directory layout.
This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux as there is no support for samba as an Active Directory Domain Controller (AD DC). Similarly, the version of samba shipped with Red Hat Gluster Storage 3 is also not supported for use as an AD DC and, thus, is not affected by this vulnerability.
Creating tracker bug for fedora-all, upon request from Gunther.
Created samba tracking bugs for this issue:
Affects: fedora-all [bug 1828870]