Fix out of bound in ldb_wildcard_compare
This commit is contained in:
Lukas Slebodnik
parent
26bfbd96ca
commit
160b21d5a3
89
0003-ldb-Out-ouf-bound-read-in-ldb_wildcard_compare.patch
Normal file
89
0003-ldb-Out-ouf-bound-read-in-ldb_wildcard_compare.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
From f8dbb92b4ea46f86ff2fc448eb8dd989cc1efa51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Fri, 18 Jan 2019 01:15:18 +0100
|
||||||
|
Subject: [PATCH] ldb: Out ouf bound read in ldb_wildcard_compare
|
||||||
|
|
||||||
|
There is valgrind error in few tests tests/test-generic.sh
|
||||||
|
91 echo "Test wildcard match"
|
||||||
|
92 $VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif || exit 1
|
||||||
|
93 $VALGRIND ldbsearch '(cn=test*multi)' || exit 1
|
||||||
|
95 $VALGRIND ldbsearch '(cn=*test_multi)' || exit 1
|
||||||
|
97 $VALGRIND ldbsearch '(cn=test*multi*test*multi)' || exit 1
|
||||||
|
|
||||||
|
e.g.
|
||||||
|
==3098== Memcheck, a memory error detector
|
||||||
|
==3098== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
|
||||||
|
==3098== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
|
||||||
|
==3098== Command: ./bin/ldbsearch (cn=test*multi)
|
||||||
|
==3098==
|
||||||
|
==3098== Invalid read of size 1
|
||||||
|
==3098== at 0x483CEE7: memchr (vg_replace_strmem.c:890)
|
||||||
|
==3098== by 0x49A9073: memmem (in /usr/lib64/libc-2.28.9000.so)
|
||||||
|
==3098== by 0x485DFE9: ldb_wildcard_compare (ldb_match.c:313)
|
||||||
|
==3098== by 0x485DFE9: ldb_match_substring (ldb_match.c:360)
|
||||||
|
==3098== by 0x485DFE9: ldb_match_message (ldb_match.c:572)
|
||||||
|
==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549)
|
||||||
|
==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17)
|
||||||
|
==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17)
|
||||||
|
==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274)
|
||||||
|
==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594)
|
||||||
|
==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854)
|
||||||
|
==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713)
|
||||||
|
==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38)
|
||||||
|
==3098== by 0x48FCEFD: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.38)
|
||||||
|
==3098== by 0x48FE14A: ??? (in /usr/lib64/libtevent.so.0.9.38)
|
||||||
|
==3098== Address 0x4b4ab81 is 0 bytes after a block of size 129 alloc'd
|
||||||
|
==3098== at 0x483880B: malloc (vg_replace_malloc.c:309)
|
||||||
|
==3098== by 0x491048B: talloc_strndup (in /usr/lib64/libtalloc.so.2.1.15)
|
||||||
|
==3098== by 0x48593CA: ldb_casefold_default (ldb_utf8.c:59)
|
||||||
|
==3098== by 0x485F68D: ldb_handler_fold (attrib_handlers.c:64)
|
||||||
|
==3098== by 0x485DB88: ldb_wildcard_compare (ldb_match.c:257)
|
||||||
|
==3098== by 0x485DB88: ldb_match_substring (ldb_match.c:360)
|
||||||
|
==3098== by 0x485DB88: ldb_match_message (ldb_match.c:572)
|
||||||
|
==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549)
|
||||||
|
==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17)
|
||||||
|
==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17)
|
||||||
|
==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274)
|
||||||
|
==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594)
|
||||||
|
==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854)
|
||||||
|
==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713)
|
||||||
|
==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38)
|
||||||
|
==3098==
|
||||||
|
# record 1
|
||||||
|
dn: cn=test_multi_test_multi_test_multi,o=University of Michigan,c=TEST
|
||||||
|
cn: test_multi_test_multi_test_multi
|
||||||
|
description: test multi wildcards matching
|
||||||
|
objectclass: person
|
||||||
|
sn: multi_test
|
||||||
|
name: test_multi_test_multi_test_multi
|
||||||
|
distinguishedName: cn=test_multi_test_multi_test_multi,o=University of Michiga
|
||||||
|
n,c=TEST
|
||||||
|
|
||||||
|
# returned 1 records
|
||||||
|
# 1 entries
|
||||||
|
# 0 referrals
|
||||||
|
|
||||||
|
Signed-off-by: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||||
|
---
|
||||||
|
common/ldb_match.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/common/ldb_match.c b/common/ldb_match.c
|
||||||
|
index 25fe3f9c21b14c23696eecd700b2170b0c3b1981..8eeedfb12e0600cdec7431a10fde8bdf9dcb2bd8 100644
|
||||||
|
--- a/common/ldb_match.c
|
||||||
|
+++ b/common/ldb_match.c
|
||||||
|
@@ -308,9 +308,10 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
|
||||||
|
if (p == NULL) goto mismatch;
|
||||||
|
if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
|
||||||
|
uint8_t *g;
|
||||||
|
+ uint8_t *end = val.data + val.length;
|
||||||
|
do { /* greedy */
|
||||||
|
g = memmem(p + cnk.length,
|
||||||
|
- val.length - (p - val.data),
|
||||||
|
+ end - (p + cnk.length),
|
||||||
|
(const uint8_t *)cnk.data,
|
||||||
|
cnk.length);
|
||||||
|
if (g) p = g;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
@ -38,6 +38,7 @@ Source: http://samba.org/ftp/ldb/ldb-%{version}.tar.gz
|
|||||||
# Patches
|
# Patches
|
||||||
Patch0001: 0001-Fix-detection-of-HAVE_LARGEFILE-with-python2.patch
|
Patch0001: 0001-Fix-detection-of-HAVE_LARGEFILE-with-python2.patch
|
||||||
Patch0002: 0002-ldb-Run-at-least-some-tests-on-32-bit-machines.patch
|
Patch0002: 0002-ldb-Run-at-least-some-tests-on-32-bit-machines.patch
|
||||||
|
Patch0003: 0003-ldb-Out-ouf-bound-read-in-ldb_wildcard_compare.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libtalloc-devel >= %{talloc_version}
|
BuildRequires: libtalloc-devel >= %{talloc_version}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user