mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
ldb client controls: avoid talloc_memdup(x, y, (size_t)-1);
ldb_base64_decode() returns -1 if a string can't be parsed as base64, and this is not the kind of value you want to use in talloc_memdup(). In these cases it can happen innocently if the strings are truncated to fit in their buffers. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Mar 19 00:56:42 CET 2016 on sn-devel-144
This commit is contained in:
parent
ac4dc0c678
commit
e806824fc8
@ -507,8 +507,16 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
|
|||||||
control->match.byOffset.contentCount = cc;
|
control->match.byOffset.contentCount = cc;
|
||||||
}
|
}
|
||||||
if (ctxid[0]) {
|
if (ctxid[0]) {
|
||||||
control->ctxid_len = ldb_base64_decode(ctxid);
|
int len = ldb_base64_decode(ctxid);
|
||||||
control->contextId = talloc_memdup(control, ctxid, control->ctxid_len);
|
if (len < 0) {
|
||||||
|
ldb_set_errstring(ldb,
|
||||||
|
"invalid VLV context_id\n");
|
||||||
|
talloc_free(ctrl);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
control->ctxid_len = len;
|
||||||
|
control->contextId = talloc_memdup(control, ctxid,
|
||||||
|
control->ctxid_len);
|
||||||
} else {
|
} else {
|
||||||
control->ctxid_len = 0;
|
control->ctxid_len = 0;
|
||||||
control->contextId = NULL;
|
control->contextId = NULL;
|
||||||
@ -552,7 +560,14 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
|
|||||||
control->flags = flags;
|
control->flags = flags;
|
||||||
control->max_attributes = max_attrs;
|
control->max_attributes = max_attrs;
|
||||||
if (*cookie) {
|
if (*cookie) {
|
||||||
control->cookie_len = ldb_base64_decode(cookie);
|
int len = ldb_base64_decode(cookie);
|
||||||
|
if (len < 0) {
|
||||||
|
ldb_set_errstring(ldb,
|
||||||
|
"invalid dirsync cookie\n");
|
||||||
|
talloc_free(ctrl);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
control->cookie_len = len;
|
||||||
control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
|
control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
|
||||||
} else {
|
} else {
|
||||||
control->cookie = NULL;
|
control->cookie = NULL;
|
||||||
@ -597,7 +612,15 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
|
|||||||
control->flags = flags;
|
control->flags = flags;
|
||||||
control->max_attributes = max_attrs;
|
control->max_attributes = max_attrs;
|
||||||
if (*cookie) {
|
if (*cookie) {
|
||||||
control->cookie_len = ldb_base64_decode(cookie);
|
int len = ldb_base64_decode(cookie);
|
||||||
|
if (len < 0) {
|
||||||
|
ldb_set_errstring(ldb,
|
||||||
|
"invalid dirsync_ex cookie"
|
||||||
|
" (probably too long)\n");
|
||||||
|
talloc_free(ctrl);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
control->cookie_len = len;
|
||||||
control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
|
control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
|
||||||
} else {
|
} else {
|
||||||
control->cookie = NULL;
|
control->cookie = NULL;
|
||||||
|
Loading…
Reference in New Issue
Block a user