diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2021-03-29 13:03:45 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2021-07-05 04:16:34 +0000 |
commit | b80f66f803554d25352413c24889a5f8fadef6d3 (patch) | |
tree | c3dec87d2c1e3c0fa13e04d1f8990ea57a1bd309 /lib/ldb-samba | |
parent | 7a111c1f35ee949d1f669fe7ea1394c6b3a52ee7 (diff) | |
download | samba-b80f66f803554d25352413c24889a5f8fadef6d3.tar.gz |
ldb-samba: dns tombstone matching: constrict value length
We know the only values we want to see are uint32, ie < ~4 billion
(and real values will be 7 digits for hundreds of years).
We also know the caller (we have just checked) is a trusted system
session which won't be padding the thing with spaces. But if they do,
let's call them out.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'lib/ldb-samba')
-rw-r--r-- | lib/ldb-samba/ldb_matching_rules.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c index 73d957df3d9..827f3920ae8 100644 --- a/lib/ldb-samba/ldb_matching_rules.c +++ b/lib/ldb-samba/ldb_matching_rules.c @@ -336,7 +336,9 @@ static int ldb_comparator_trans(struct ldb_context *ldb, * * This allows a search filter such as: * - * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=131139216000000000 + * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=3694869 + * + * where the value is a number of hours since the start of 1601. * * This allows the caller to find records that should become a DNS * tomestone, despite that information being deep within an NDR packed @@ -380,13 +382,13 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb, return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } - /* Just check we don't allow the caller to fill our stack */ - if (value_to_match->length >= 64) { + /* We only expect uint32_t <= 10 digits */ + if (value_to_match->length >= 12) { DBG_ERR("Invalid timestamp passed\n"); return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } else { int error = 0; - char s[65]; + char s[12]; memcpy(s, value_to_match->data, value_to_match->length); s[value_to_match->length] = 0; |