IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If neither dn can casefold, they should be considered equal. Otherwise
cmp(dn1, dn2) will be inconsistent with cmp(dn2, dn1).
These will still sort to the end of the list, relative to any valid
DNs.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
If the failure is not on the last component, we would have
TALLOC_FREE()ed some components that we hadn't set.
I think in all pathways we initialise the unset components to zero,
but we should be careful just in case.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
It should be off by default, as this is not needed by default. It
crashes named on startup, if bind is built with jemalloc support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15643
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The default is ASCII only, which is used by SSSD and OpenChange.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Typically in 8-bit character sets, those with the 0x80 bit set are
seen as 288-255, not negative numbers. This will sort them after 'Z',
not before 'A'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is made from the ASCII-only bits of the old
ldb_comparison_fold() -- that is, what you get if you never follow a
`goto utf8str` jump. It comparse the bytes, but collapses spaces and
maps [a-z] to [A-Z].
This does exactly what ldb_comparison_fold_utf8_broken() would do in
situations where ldb_casfold() calls ldb_casefold_default(). That
means SSSD.
The comparison is probably using signed char, so high bytes are
actually low bytes.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
But only if it is set, which it never is (so far).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This replaces ldb_set_utf8_fns(), which will be deprecated really soon.
The reason for this, as shown in surrounding commits, is that without
an explicit case-insensitive comparison we need to rely on the casefold,
and if the casefold can fail (because, e.g. bad utf-8) the comparison
ends up being a bit chaotic. The strings being compared are generally
user controlled, and a malicious user might find ways of hiding values
or perhaps fooling a binary search.
A case-insensitive comparisons that works gradually through the string
without an all-at-once casefold is better placed to deal with problems
where they happen, and we are able to separately specialise for the
ASCII case (used by SSSD) and the UTF-8 case (Samba).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We're going to make this use a configurable pointer.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.
If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to non-transitive comparisons.
Consider the strings {"a\xff", "a", "ab\xff"} under that system.
"a\xff" < "a", because (char)0xff == -1.
"ab\xff" > "a", because 'b' == 98.
"ab\xff" < "a\xff", because memcmp("ab\xff", "a\xff", 2) avoiding the
signed char tiebreaker.
(Before c49c48afe09a1a78989628bbffd49dd3efc154dd, the final character
might br arbitrarily cast into another character -- in latin-1, for
example, the 0xff here would have been seen as 'ÿ', which would be
uppercased to 'Ÿ', which is U+0178, which would be truncated to
'\x78', a positive char.
On the other hand e.g. 0xfe, 'þ', would have mapped to 0xde, 'Þ',
remaining negative).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This also sorts NULLs after invalid DNs, which matches the comment
above.
CID 1596622.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_ldif.c:84: tainted_data_return: Called function "read(f, buf, size)", and a possible return value may be less than zero.
ldb-2.9.0/common/ldb_ldif.c:84: cast_overflow: An assign that casts to a different type, which might trigger an overflow.
ldb-2.9.0/common/ldb_ldif.c:92: overflow: The expression "size" is considered to have possibly overflowed.
ldb-2.9.0/common/ldb_ldif.c:84: overflow_sink: "size", which might be negative, is passed to "read(f, buf, size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
82| buf = (char *)value->data;
83| while (count < statbuf.st_size) {
84|-> bytes = read(f, buf, size);
85| if (bytes == -1) {
86| talloc_free(value->data);
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr 30 15:33:32 UTC 2024 on atb-devel-224
Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.]
1251| talloc_free(discard_const_p(char, el2->name));
1252| if ((i+1) < msg2->num_elements) {
1253|-> memmove(el2, el2+1, sizeof(struct ldb_message_element) *
1254| (msg2->num_elements - (i+1)));
1255| }
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.
It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.
Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This isn't supposed to be used for sorting, but it is hard to say it
won't be, so we might as well make it sort properly.
Following long-standing behaviour, we try to sort "FALSE" > "TRUE", by
length, then switch to using strncasecmp().
strncasecmp would sort the other way, so we swap the operands. This is
to make e.g. "TRUE\0" sort the same as "TRUE".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We were returning -1 in all these cases:
ldb_dn_compare(dn, NULL);
ldb_dn_compare(NULL, dn);
ldb_dn_compare(NULL, NULL);
which would give strange results in sort, where this is often used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We can still have inconsistent comparisons, because two elements with
the same number of values will always return -1 if they are unequal,
which means they will sort differently depending on the order in which
they are compared.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If a compare function is non-transitive (for example, if it evaluates
A > B and B > C, but A < C), this implementation of qsort could access
out-of-bounds memory. This was found in glibc's qsort by Qualys, and
their write-up for OSS-Security explains it very well:
https://www.openwall.com/lists/oss-security/2024/01/30/7
An example of a non-transitive compare is one in which does this
int cmp(const void *_a, const void *_b)
{
int a = *(int *)_a;
int b = *(int *)_b;
return a - b;
}
which does the right thing when the magnitude of the numbers is small,
but which will go wrong if a is INT_MIN and b is INT_MAX. Likewise, if
a and b are e.g. uint32_t, the value can wrap when cast to int.
We have functions that are non-transitive regardless of subtraction.
For example, here (which is not used with ldb_qsort):
int codepoint_cmpi(codepoint_t c1, codepoint_t c2)
if (c1 == c2 ||
toupper_m(c1) == toupper_m(c2)) {
return 0;
}
return c1 - c2;
}
The toupper_m() is only called on equality case. Consider {'a', 'A', 'B'}.
'a' == 'A'
'a' > 'B' (lowercase letters come after upper)
'A' < 'B'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15569
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This LDB_FREE() seems to predate TALLOC_FREE(), and was identical
until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in
b9fcfc6399eab750880ee0b9806311dd351a8ff6.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The comparison we make is unconventional, and makes no difference in
normal usage, where we just want to know whether two DNs are the same
or not. But with over 100 callers, it is possible that something
somewhere is attempting a sort.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In the best case, this would have leaked.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The underlying function should return -1 and set errno when given invalid
strings, but we were not looking and have decided on 0 for error.
It would be a pain to change this function to return -1. Apart from the
API fuss, it is sometimes used unchecked to set an unsigned number and
an unchecked 0 is better than UINT*_MAX in those contexts.
It is probably not easy to get an -1 from a timegm() -- most
implementations will happily convert overflows for you, so e.g. the
15th month would be March of the next year. But EOVERFLOW is mentioned
in the manpages.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
