diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2015-11-24 13:09:36 +1300 |
---|---|---|
committer | Ralph Boehme <slow@samba.org> | 2015-12-09 17:17:04 +0100 |
commit | 7bcac237656083e67bbac9b50be9b319bb2d7eb8 (patch) | |
tree | bf686098471278c7c9075f5015054a40d56bdf89 | |
parent | 1aef718f3cc175d90d40202a333042a38ba382b1 (diff) | |
download | samba-7bcac237656083e67bbac9b50be9b319bb2d7eb8.tar.gz |
CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
ldb_dn_escape_internal() reports the number of bytes it copied, so
lets use that number, rather than using strlen() and hoping a zero got
in the right place.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
-rw-r--r-- | lib/ldb/common/ldb_dn.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index 1b8e51e4990..a3b8f921b49 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len) char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value) { char *dst; - + size_t len; if (!value.length) return NULL; @@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value) return NULL; } - ldb_dn_escape_internal(dst, (const char *)value.data, value.length); - - dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1); + len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length); + dst = talloc_realloc(mem_ctx, dst, char, len + 1); + if ( ! dst) { + talloc_free(dst); + return NULL; + } + dst[len] = '\0'; return dst; } |