sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Jeremy Allison 2015-06-09 12:42:10 -07:00 committed by Ralph Boehme
parent 3c6ea3293c
commit ec504dbf69
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/ldb/common/ldb_match.c
View File

@ -271,6 +271,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
if (cnk.length > val.length) {
goto mismatch;
}
/*
* Empty strings are returned as length 0. Ensure
* we can cope with this.
*/
if (cnk.length == 0) {
goto mismatch;
}
if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
val.length -= cnk.length;
val.data += cnk.length;
@ -284,7 +292,13 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
chunk = tree->u.substring.chunks[c];
if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
/* FIXME: case of embedded nulls */
/*
* Empty strings are returned as length 0. Ensure
* we can cope with this.
*/
if (cnk.length == 0) {
goto mismatch;
}
p = strstr((char *)val.data, (char *)cnk.data);
if (p == NULL) goto mismatch;
if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {