diff options
author | Jeremy Allison <jra@samba.org> | 2015-06-09 12:42:10 -0700 |
---|---|---|
committer | Ralph Boehme <slow@samba.org> | 2015-12-09 17:17:04 +0100 |
commit | fb456954f332c07a645226d59b3b00ec252f8b26 (patch) | |
tree | 66674ad1dddb365b147fb88f10dddf5ee08d7b24 | |
parent | 776eb216f3ab6deb963dd2899f80b2edec63b521 (diff) | |
download | samba-fb456954f332c07a645226d59b3b00ec252f8b26.tar.gz |
CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
-rw-r--r-- | lib/ldb/common/ldb_match.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index 7918aec65f1..8bdb0e19b16 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -270,6 +270,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, if (cnk.length > val.length) { goto mismatch; } + /* + * Empty strings are returned as length 0. Ensure + * we can cope with this. + */ + if (cnk.length == 0) { + goto mismatch; + } + if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch; val.length -= cnk.length; val.data += cnk.length; @@ -283,7 +291,13 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, chunk = tree->u.substring.chunks[c]; if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch; - /* FIXME: case of embedded nulls */ + /* + * Empty strings are returned as length 0. Ensure + * we can cope with this. + */ + if (cnk.length == 0) { + goto mismatch; + } p = strstr((char *)val.data, (char *)cnk.data); if (p == NULL) goto mismatch; if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { |