diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2018-02-17 10:46:44 +1300 |
---|---|---|
committer | Douglas Bagnall <dbagnall@samba.org> | 2018-02-22 01:04:18 +0100 |
commit | a4c853a7deb080dd44e3c54eb45935ff0df91baf (patch) | |
tree | a0c343ff4c1485f0fedb844f958529f56d1cc6dc | |
parent | 6ef6ddce5a64c55729c2e3d423757f504b0ab15e (diff) | |
download | samba-a4c853a7deb080dd44e3c54eb45935ff0df91baf.tar.gz |
util/rfc1738_unescape(): return end pointer or NULL on error
At present we don't detect errors, but when we do we'll return NULL.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | lib/util/rfc1738.c | 5 | ||||
-rw-r--r-- | lib/util/samba_util.h | 2 | ||||
-rw-r--r-- | source3/client/smbspool.c | 8 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 18 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_client.c | 11 |
5 files changed, 32 insertions, 12 deletions
diff --git a/lib/util/rfc1738.c b/lib/util/rfc1738.c index b285ae97e00..5474ea8a4f9 100644 --- a/lib/util/rfc1738.c +++ b/lib/util/rfc1738.c @@ -193,8 +193,8 @@ rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url) * rfc1738_unescape() - Converts escaped characters (%xy numbers) in * given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab" */ -_PUBLIC_ void -rfc1738_unescape(char *s) + +_PUBLIC_ char *rfc1738_unescape(char *s) { char hexnum[3]; int i, j; /* i is write, j is read */ @@ -222,4 +222,5 @@ rfc1738_unescape(char *s) } } s[i] = '\0'; + return s + i; } diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h index 3daf3dfdfd0..f6b3e23abc3 100644 --- a/lib/util/samba_util.h +++ b/lib/util/samba_util.h @@ -225,7 +225,7 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_ /** Unescape a URL encoded string, in place. **/ -_PUBLIC_ void rfc1738_unescape(char *buf); +_PUBLIC_ char *rfc1738_unescape(char *buf); /** diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c index 152492eadf1..3660319b5b1 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -698,12 +698,16 @@ static char * uri_unescape_alloc(const char *uritok) { char *ret; - + char *end; ret = (char *) SMB_STRDUP(uritok); if (!ret) { return NULL; } - rfc1738_unescape(ret); + end = rfc1738_unescape(ret); + if (end == NULL) { + free(ret); + return NULL; + } return ret; } diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 3f544902a24..78bafe12efa 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1260,7 +1260,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, struct ntlm_auth_state *state, char *buf, int length, void **private2) { - char *user, *pass; + char *user, *pass; user=buf; pass=(char *)memchr(buf,' ',length); @@ -1273,8 +1273,20 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, pass++; if (state->helper_mode == SQUID_2_5_BASIC) { - rfc1738_unescape(user); - rfc1738_unescape(pass); + char *end = rfc1738_unescape(user); + if (end == NULL || (end - user) != strlen(user)) { + DEBUG(2, ("Badly rfc1738 encoded username: %s; " + "denying access\n", user)); + printf("ERR\n"); + return; + } + end = rfc1738_unescape(pass); + if (end == NULL || (end - pass) != strlen(pass)) { + DEBUG(2, ("Badly encoded password for %s; " + "denying access\n", user)); + printf("ERR\n"); + return; + } } if (check_plaintext_auth(user, pass, False)) { diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 40d508cb01c..b5f5da6fa00 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -412,7 +412,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con if (strequal(protocol, "ldapi")) { struct socket_address *unix_addr; char path[1025]; - + char *end = NULL; NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &state->sock, 0); if (!NT_STATUS_IS_OK(status)) { return NULL; @@ -439,15 +439,18 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con return result; } - rfc1738_unescape(path); - + end = rfc1738_unescape(path); + if (end == NULL) { + composite_error(state->ctx, + NT_STATUS_INVALID_PARAMETER); + return result; + } unix_addr = socket_address_from_strings(state, state->sock->backend_name, path, 0); if (composite_nomem(unix_addr, result)) { return result; } - ctx = socket_connect_send(state->sock, NULL, unix_addr, 0, result->event_ctx); ctx->async.fn = ldap_connect_recv_unix_conn; |