66 lines
2.2 KiB
Diff
66 lines
2.2 KiB
Diff
|
From bce1b285de7829d9fa110efdfa98fe877ef19e3f Mon Sep 17 00:00:00 2001
|
||
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
||
|
Date: Thu, 26 Nov 2015 11:17:11 +1300
|
||
|
Subject: [PATCH 8/9] CVE-2015-5330: ldb_dn_explode: copy strings by length,
|
||
|
not terminators
|
||
|
|
||
|
That is, memdup(), not strdup(). The terminators might not be there.
|
||
|
|
||
|
But, we have to make sure we put the terminator on, because we tend to
|
||
|
assume the terminator is there in other places.
|
||
|
|
||
|
Use talloc_set_name_const() on the resulting chunk so talloc_report()
|
||
|
remains unchanged.
|
||
|
|
||
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
|
||
|
|
||
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
||
|
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
|
||
|
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
|
||
|
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
|
||
|
Pair-programmed-with: Ralph Boehme <slow@samba.org>
|
||
|
---
|
||
|
lib/ldb/common/ldb_dn.c | 9 +++++++--
|
||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
|
||
|
index a3b8f92..cd17cda 100644
|
||
|
--- a/lib/ldb/common/ldb_dn.c
|
||
|
+++ b/lib/ldb/common/ldb_dn.c
|
||
|
@@ -586,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
|
||
|
|
||
|
p++;
|
||
|
*d++ = '\0';
|
||
|
- dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
|
||
|
+ dn->components[dn->comp_num].value.data = \
|
||
|
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
|
||
|
dn->components[dn->comp_num].value.length = l;
|
||
|
if ( ! dn->components[dn->comp_num].value.data) {
|
||
|
/* ouch ! */
|
||
|
goto failed;
|
||
|
}
|
||
|
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
|
||
|
+ (const char *)dn->components[dn->comp_num].value.data);
|
||
|
|
||
|
dt = d;
|
||
|
|
||
|
@@ -707,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
|
||
|
*d++ = '\0';
|
||
|
dn->components[dn->comp_num].value.length = l;
|
||
|
dn->components[dn->comp_num].value.data =
|
||
|
- (uint8_t *)talloc_strdup(dn->components, dt);
|
||
|
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
|
||
|
if ( ! dn->components[dn->comp_num].value.data) {
|
||
|
/* ouch */
|
||
|
goto failed;
|
||
|
}
|
||
|
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
|
||
|
+ (const char *)dn->components[dn->comp_num].value.data);
|
||
|
|
||
|
dn->comp_num++;
|
||
|
|
||
|
--
|
||
|
2.5.0
|
||
|
|
||
|
|