1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/lib/util/charset/util_unistr.c
Douglas Bagnall a118d4220e CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-12-09 17:19:52 +01:00

417 lines
10 KiB
C

/*
Unix SMB/CIFS implementation.
Samba utility functions
Copyright (C) Andrew Tridgell 1992-2001
Copyright (C) Simo Sorce 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "system/locale.h"
/**
String replace.
NOTE: oldc and newc must be 7 bit characters
**/
_PUBLIC_ void string_replace_m(char *s, char oldc, char newc)
{
struct smb_iconv_handle *ic = get_iconv_handle();
while (s && *s) {
size_t size;
codepoint_t c = next_codepoint_handle(ic, s, &size);
if (c == oldc) {
*s = newc;
}
s += size;
}
}
/**
Convert a string to lower case, allocated with talloc
**/
_PUBLIC_ char *strlower_talloc_handle(struct smb_iconv_handle *iconv_handle,
TALLOC_CTX *ctx, const char *src)
{
size_t size=0;
char *dest;
if(src == NULL) {
return NULL;
}
/* this takes advantage of the fact that upper/lower can't
change the length of a character by more than 1 byte */
dest = talloc_array(ctx, char, 2*(strlen(src))+1);
if (dest == NULL) {
return NULL;
}
while (*src) {
size_t c_size;
codepoint_t c = next_codepoint_handle(iconv_handle, src, &c_size);
src += c_size;
c = tolower_m(c);
c_size = push_codepoint_handle(iconv_handle, dest+size, c);
if (c_size == -1) {
talloc_free(dest);
return NULL;
}
size += c_size;
}
dest[size] = 0;
/* trim it so talloc_append_string() works */
dest = talloc_realloc(ctx, dest, char, size+1);
talloc_set_name_const(dest, dest);
return dest;
}
_PUBLIC_ char *strlower_talloc(TALLOC_CTX *ctx, const char *src)
{
struct smb_iconv_handle *iconv_handle = get_iconv_handle();
return strlower_talloc_handle(iconv_handle, ctx, src);
}
/**
Convert a string to UPPER case, allocated with talloc
source length limited to n bytes, iconv handle supplied
**/
_PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
TALLOC_CTX *ctx, const char *src, size_t n)
{
size_t size=0;
char *dest;
if (!src) {
return NULL;
}
/* this takes advantage of the fact that upper/lower can't
change the length of a character by more than 1 byte */
dest = talloc_array(ctx, char, 2*(n+1));
if (dest == NULL) {
return NULL;
}
while (n && *src) {
size_t c_size;
codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
CH_UNIX, &c_size);
src += c_size;
n -= c_size;
c = toupper_m(c);
c_size = push_codepoint_handle(iconv_handle, dest+size, c);
if (c_size == -1) {
talloc_free(dest);
return NULL;
}
size += c_size;
}
dest[size] = 0;
/* trim it so talloc_append_string() works */
dest = talloc_realloc(ctx, dest, char, size+1);
talloc_set_name_const(dest, dest);
return dest;
}
/**
Convert a string to UPPER case, allocated with talloc
source length limited to n bytes
**/
_PUBLIC_ char *strupper_talloc_n(TALLOC_CTX *ctx, const char *src, size_t n)
{
struct smb_iconv_handle *iconv_handle = get_iconv_handle();
return strupper_talloc_n_handle(iconv_handle, ctx, src, n);
}
/**
Convert a string to UPPER case, allocated with talloc
**/
_PUBLIC_ char *strupper_talloc(TALLOC_CTX *ctx, const char *src)
{
return strupper_talloc_n(ctx, src, src?strlen(src):0);
}
/**
talloc_strdup() a unix string to upper case.
**/
_PUBLIC_ char *talloc_strdup_upper(TALLOC_CTX *ctx, const char *src)
{
return strupper_talloc(ctx, src);
}
/**
Find the number of 'c' chars in a string
**/
_PUBLIC_ size_t count_chars_m(const char *s, char c)
{
struct smb_iconv_handle *ic = get_iconv_handle();
size_t count = 0;
while (*s) {
size_t size;
codepoint_t c2 = next_codepoint_handle(ic, s, &size);
if (c2 == c) count++;
s += size;
}
return count;
}
/**
* Copy a string from a char* unix src to a dos codepage string destination.
*
* @converted_size the number of bytes occupied by the string in the destination.
* @return bool true if success.
*
* @param flags can include
* <dl>
* <dt>STR_TERMINATE</dt> <dd>means include the null termination</dd>
* <dt>STR_UPPER</dt> <dd>means uppercase in the destination</dd>
* </dl>
*
* @param dest_len the maximum length in bytes allowed in the
* destination. If @p dest_len is -1 then no maximum is used.
**/
static bool push_ascii_string(void *dest, const char *src, size_t dest_len, int flags, size_t *converted_size)
{
size_t src_len;
bool ret;
if (flags & STR_UPPER) {
char *tmpbuf = strupper_talloc(NULL, src);
if (tmpbuf == NULL) {
return false;
}
ret = push_ascii_string(dest, tmpbuf, dest_len, flags & ~STR_UPPER, converted_size);
talloc_free(tmpbuf);
return ret;
}
src_len = strlen(src);
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
src_len++;
return convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, converted_size);
}
/**
* Copy a string from a dos codepage source to a unix char* destination.
*
* The resulting string in "dest" is always null terminated.
*
* @param flags can have:
* <dl>
* <dt>STR_TERMINATE</dt>
* <dd>STR_TERMINATE means the string in @p src
* is null terminated, and src_len is ignored.</dd>
* </dl>
*
* @param src_len is the length of the source area in bytes.
* @returns the number of bytes occupied by the string in @p src.
**/
static ssize_t pull_ascii_string(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
{
size_t size = 0;
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
if (src_len == (size_t)-1) {
src_len = strlen((const char *)src) + 1;
} else {
size_t len = strnlen((const char *)src, src_len);
if (len < src_len)
len++;
src_len = len;
}
}
/* We're ignoring the return here.. */
(void)convert_string(CH_DOS, CH_UNIX, src, src_len, dest, dest_len, &size);
if (dest_len)
dest[MIN(size, dest_len-1)] = 0;
return src_len;
}
/**
* Copy a string from a char* src to a unicode destination.
*
* @returns the number of bytes occupied by the string in the destination.
*
* @param flags can have:
*
* <dl>
* <dt>STR_TERMINATE <dd>means include the null termination.
* <dt>STR_UPPER <dd>means uppercase in the destination.
* <dt>STR_NOALIGN <dd>means don't do alignment.
* </dl>
*
* @param dest_len is the maximum length allowed in the
* destination. If dest_len is -1 then no maxiumum is used.
**/
static ssize_t push_ucs2(void *dest, const char *src, size_t dest_len, int flags)
{
size_t len=0;
size_t src_len = strlen(src);
size_t size = 0;
bool ret;
if (flags & STR_UPPER) {
char *tmpbuf = strupper_talloc(NULL, src);
ssize_t retval;
if (tmpbuf == NULL) {
return -1;
}
retval = push_ucs2(dest, tmpbuf, dest_len, flags & ~STR_UPPER);
talloc_free(tmpbuf);
return retval;
}
if (flags & STR_TERMINATE)
src_len++;
if (ucs2_align(NULL, dest, flags)) {
*(char *)dest = 0;
dest = (void *)((char *)dest + 1);
if (dest_len) dest_len--;
len++;
}
/* ucs2 is always a multiple of 2 bytes */
dest_len &= ~1;
ret = convert_string(CH_UNIX, CH_UTF16, src, src_len, dest, dest_len, &size);
if (ret == false) {
return 0;
}
len += size;
return (ssize_t)len;
}
/**
Copy a string from a ucs2 source to a unix char* destination.
Flags can have:
STR_TERMINATE means the string in src is null terminated.
STR_NOALIGN means don't try to align.
if STR_TERMINATE is set then src_len is ignored if it is -1.
src_len is the length of the source area in bytes
Return the number of bytes occupied by the string in src.
The resulting string in "dest" is always null terminated.
**/
static size_t pull_ucs2(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
{
size_t size = 0;
if (ucs2_align(NULL, src, flags)) {
src = (const void *)((const char *)src + 1);
if (src_len > 0)
src_len--;
}
if (flags & STR_TERMINATE) {
if (src_len == (size_t)-1) {
src_len = utf16_len(src);
} else {
src_len = utf16_len_n(src, src_len);
}
}
/* ucs2 is always a multiple of 2 bytes */
if (src_len != (size_t)-1)
src_len &= ~1;
/* We're ignoring the return here.. */
(void)convert_string(CH_UTF16, CH_UNIX, src, src_len, dest, dest_len, &size);
if (dest_len)
dest[MIN(size, dest_len-1)] = 0;
return src_len;
}
/**
Copy a string from a char* src to a unicode or ascii
dos codepage destination choosing unicode or ascii based on the
flags in the SMB buffer starting at base_ptr.
Return the number of bytes occupied by the string in the destination.
flags can have:
STR_TERMINATE means include the null termination.
STR_UPPER means uppercase in the destination.
STR_ASCII use ascii even with unicode packet.
STR_NOALIGN means don't do alignment.
dest_len is the maximum length allowed in the destination. If dest_len
is -1 then no maxiumum is used.
**/
_PUBLIC_ ssize_t push_string(void *dest, const char *src, size_t dest_len, int flags)
{
if (flags & STR_ASCII) {
size_t size = 0;
if (push_ascii_string(dest, src, dest_len, flags, &size)) {
return (ssize_t)size;
} else {
return (ssize_t)-1;
}
} else if (flags & STR_UNICODE) {
return push_ucs2(dest, src, dest_len, flags);
} else {
smb_panic("push_string requires either STR_ASCII or STR_UNICODE flag to be set");
return -1;
}
}
/**
Copy a string from a unicode or ascii source (depending on
the packet flags) to a char* destination.
Flags can have:
STR_TERMINATE means the string in src is null terminated.
STR_UNICODE means to force as unicode.
STR_ASCII use ascii even with unicode packet.
STR_NOALIGN means don't do alignment.
if STR_TERMINATE is set then src_len is ignored is it is -1
src_len is the length of the source area in bytes.
Return the number of bytes occupied by the string in src.
The resulting string in "dest" is always null terminated.
**/
_PUBLIC_ ssize_t pull_string(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
{
if (flags & STR_ASCII) {
return pull_ascii_string(dest, src, dest_len, src_len, flags);
} else if (flags & STR_UNICODE) {
return pull_ucs2(dest, src, dest_len, src_len, flags);
} else {
smb_panic("pull_string requires either STR_ASCII or STR_UNICODE flag to be set");
return -1;
}
}