The branch, master has been updated via a44e4e9 ldb: validate ldb_dn_set_component input parameters even more strictly via 30e92d0 ldb: Explain why this use of talloc_memdup() is safe via 084bab5 ldb: Be strict about talloc_memdup() and passed in buffers in ldb_dn_set_component() from ff94a01 travis: Add metadata file for the Travis CI Open Source cloud build/test service
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a44e4e932347c4c73bfcd9ee227a5105b5db09f2 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jan 4 12:13:40 2016 +1300 ldb: validate ldb_dn_set_component input parameters even more strictly Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jelmer Vernooij <jel...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Jan 6 00:33:21 CET 2016 on sn-devel-144 commit 30e92d0a325d3829fa90d19e1b7af35a3db859f1 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jan 4 12:13:04 2016 +1300 ldb: Explain why this use of talloc_memdup() is safe Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jelmer Vernooij <jel...@samba.org> commit 084bab5a06fda352df5c8b902aa36068b7bcc396 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jan 4 12:12:37 2016 +1300 ldb: Be strict about talloc_memdup() and passed in buffers in ldb_dn_set_component() This ensures we do not over-read the source buffer, but still NUL terminate. This may be related to debuain bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808769 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jelmer Vernooij <jel...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb_dn.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index dfd3b58..5bf72ac 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -586,6 +586,12 @@ static bool ldb_dn_explode(struct ldb_dn *dn) p++; *d++ = '\0'; + + /* + * This talloc_memdup() is OK with the + * +1 because *d has been set to '\0' + * just above + */ dn->components[dn->comp_num].value.data = \ (uint8_t *)talloc_memdup(dn->components, dt, l + 1); dn->components[dn->comp_num].value.length = l; @@ -708,6 +714,11 @@ static bool ldb_dn_explode(struct ldb_dn *dn) } *d++ = '\0'; + /* + * This talloc_memdup() is OK with the + * +1 because *d has been set to '\0' + * just above. + */ dn->components[dn->comp_num].value.length = l; dn->components[dn->comp_num].value.data = (uint8_t *)talloc_memdup(dn->components, dt, l + 1); @@ -1901,17 +1912,37 @@ int ldb_dn_set_component(struct ldb_dn *dn, int num, return LDB_ERR_OTHER; } + if (num < 0) { + return LDB_ERR_OTHER; + } + + if (v.length > v.length + 1) { + return LDB_ERR_OTHER; + } + n = talloc_strdup(dn, name); if ( ! n) { return LDB_ERR_OTHER; } v.length = val.length; - v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1); + + /* + * This is like talloc_memdup(dn, v.data, v.length + 1), but + * avoids the over-read + */ + v.data = (uint8_t *)talloc_size(dn, v.length+1); if ( ! v.data) { talloc_free(n); return LDB_ERR_OTHER; } + memcpy(v.data, val.data, val.length); + + /* + * Enforce NUL termination outside the stated length, as is + * traditional in LDB + */ + v.data[v.length] = '\0'; talloc_free(dn->components[num].name); talloc_free(dn->components[num].value.data); -- Samba Shared Repository