The branch, master has been updated
via a44e4e9 ldb: validate ldb_dn_set_component input parameters even
more strictly
via 30e92d0 ldb: Explain why this use of talloc_memdup() is safe
via 084bab5 ldb: Be strict about talloc_memdup() and passed in buffers
in ldb_dn_set_component()
from ff94a01 travis: Add metadata file for the Travis CI Open Source
cloud build/test service
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a44e4e932347c4c73bfcd9ee227a5105b5db09f2
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 4 12:13:40 2016 +1300
ldb: validate ldb_dn_set_component input parameters even more strictly
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jelmer Vernooij <jel...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Jan 6 00:33:21 CET 2016 on sn-devel-144
commit 30e92d0a325d3829fa90d19e1b7af35a3db859f1
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 4 12:13:04 2016 +1300
ldb: Explain why this use of talloc_memdup() is safe
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jelmer Vernooij <jel...@samba.org>
commit 084bab5a06fda352df5c8b902aa36068b7bcc396
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 4 12:12:37 2016 +1300
ldb: Be strict about talloc_memdup() and passed in buffers in
ldb_dn_set_component()
This ensures we do not over-read the source buffer, but still NUL terminate.
This may be related to debuain bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808769
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jelmer Vernooij <jel...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_dn.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index dfd3b58..5bf72ac 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -586,6 +586,12 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
p++;
*d++ = '\0';
+
+ /*
+ * This talloc_memdup() is OK with the
+ * +1 because *d has been set to '\0'
+ * just above
+ */
dn->components[dn->comp_num].value.data = \
(uint8_t
*)talloc_memdup(dn->components, dt, l + 1);
dn->components[dn->comp_num].value.length = l;
@@ -708,6 +714,11 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
}
*d++ = '\0';
+ /*
+ * This talloc_memdup() is OK with the
+ * +1 because *d has been set to '\0'
+ * just above.
+ */
dn->components[dn->comp_num].value.length = l;
dn->components[dn->comp_num].value.data =
(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
@@ -1901,17 +1912,37 @@ int ldb_dn_set_component(struct ldb_dn *dn, int num,
return LDB_ERR_OTHER;
}
+ if (num < 0) {
+ return LDB_ERR_OTHER;
+ }
+
+ if (v.length > v.length + 1) {
+ return LDB_ERR_OTHER;
+ }
+
n = talloc_strdup(dn, name);
if ( ! n) {
return LDB_ERR_OTHER;
}
v.length = val.length;
- v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1);
+
+ /*
+ * This is like talloc_memdup(dn, v.data, v.length + 1), but
+ * avoids the over-read
+ */
+ v.data = (uint8_t *)talloc_size(dn, v.length+1);
if ( ! v.data) {
talloc_free(n);
return LDB_ERR_OTHER;
}
+ memcpy(v.data, val.data, val.length);
+
+ /*
+ * Enforce NUL termination outside the stated length, as is
+ * traditional in LDB
+ */
+ v.data[v.length] = '\0';
talloc_free(dn->components[num].name);
talloc_free(dn->components[num].value.data);
--
Samba Shared Repository
