util/rfc1738_unescape(): return end pointer or NULL on error

At present we don't detect errors, but when we do we'll return NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

5 files changed, 32 insertions, 12 deletions

diff --git a/lib/util/rfc1738.c b/lib/util/rfc1738.c
index b285ae97e00..5474ea8a4f9 100644
--- a/lib/util/rfc1738.c
+++ b/lib/util/rfc1738.c
@@ -193,8 +193,8 @@ rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url)
  *  rfc1738_unescape() - Converts escaped characters (%xy numbers) in
  *  given the string.  %% is a %. %ab is the 8-bit hexadecimal number "ab"
  */
-_PUBLIC_ void
-rfc1738_unescape(char *s)
+
+_PUBLIC_ char *rfc1738_unescape(char *s)
 {
     char hexnum[3];
     int i, j;			/* i is write, j is read */
@@ -222,4 +222,5 @@ rfc1738_unescape(char *s)
         }
     }
     s[i] = '\0';
+	return s + i;
 }
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 3daf3dfdfd0..f6b3e23abc3 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -225,7 +225,7 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_
 /**
  Unescape a URL encoded string, in place.
 **/
-_PUBLIC_ void rfc1738_unescape(char *buf);
+_PUBLIC_ char *rfc1738_unescape(char *buf);
 
 
 /**
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 152492eadf1..3660319b5b1 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -698,12 +698,16 @@ static char *
 uri_unescape_alloc(const char *uritok)
 {
 	char *ret;
-
+	char *end;
 	ret = (char *) SMB_STRDUP(uritok);
 	if (!ret) {
 		return NULL;
 	}
 
-	rfc1738_unescape(ret);
+	end = rfc1738_unescape(ret);
+	if (end == NULL) {
+		free(ret);
+		return NULL;
+	}
 	return ret;
 }
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..78bafe12efa 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1260,7 +1260,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
 				   struct ntlm_auth_state *state,
 					char *buf, int length, void **private2)
 {
-	char *user, *pass;	
+	char *user, *pass;
 	user=buf;
 
 	pass=(char *)memchr(buf,' ',length);
@@ -1273,8 +1273,20 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
 	pass++;
 
 	if (state->helper_mode == SQUID_2_5_BASIC) {
-		rfc1738_unescape(user);
-		rfc1738_unescape(pass);
+		char *end = rfc1738_unescape(user);
+		if (end == NULL || (end - user) != strlen(user)) {
+			DEBUG(2, ("Badly rfc1738 encoded username: %s; "
+				  "denying access\n", user));
+			printf("ERR\n");
+			return;
+		}
+		end = rfc1738_unescape(pass);
+		if (end == NULL || (end - pass) != strlen(pass)) {
+			DEBUG(2, ("Badly encoded password for %s; "
+				  "denying access\n", user));
+			printf("ERR\n");
+			return;
+		}
 	}
 
 	if (check_plaintext_auth(user, pass, False)) {
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 40d508cb01c..b5f5da6fa00 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -412,7 +412,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
 	if (strequal(protocol, "ldapi")) {
 		struct socket_address *unix_addr;
 		char path[1025];
-	
+		char *end = NULL;
 		NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &state->sock, 0);
 		if (!NT_STATUS_IS_OK(status)) {
 			return NULL;
@@ -439,15 +439,18 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
 			return result;
 		}
 
-		rfc1738_unescape(path);
-
+		end = rfc1738_unescape(path);
+		if (end == NULL) {
+			composite_error(state->ctx,
+					NT_STATUS_INVALID_PARAMETER);
+			return result;
+		}	
 		unix_addr = socket_address_from_strings(state, state->sock->backend_name,
 							path, 0);
 		if (composite_nomem(unix_addr, result)) {
 			return result;
 		}
 
-
 		ctx = socket_connect_send(state->sock, NULL, unix_addr,
 					  0, result->event_ctx);
 		ctx->async.fn = ldap_connect_recv_unix_conn;