ldb-samba: dns tombstone matching: constrict value length

We know the only values we want to see are uint32, ie < ~4 billion
(and real values will be 7 digits for hundreds of years).

We also know the caller (we have just checked) is a trusted system
session which won't be padding the thing with spaces. But if they do,
let's call them out.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 6 insertions, 4 deletions

diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c
index 73d957df3d9..827f3920ae8 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -336,7 +336,9 @@ static int ldb_comparator_trans(struct ldb_context *ldb,
  *
  * This allows a search filter such as:
  *
- * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=131139216000000000
+ * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=3694869
+ *
+ * where the value is a number of hours since the start of 1601.
  *
  * This allows the caller to find records that should become a DNS
  * tomestone, despite that information being deep within an NDR packed
@@ -380,13 +382,13 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb,
 		return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 	}
 
-	/* Just check we don't allow the caller to fill our stack */
-	if (value_to_match->length >= 64) {
+	/* We only expect uint32_t <= 10 digits */
+	if (value_to_match->length >= 12) {
 		DBG_ERR("Invalid timestamp passed\n");
 		return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
 	} else {
 		int error = 0;
-		char s[65];
+		char s[12];
 
 		memcpy(s, value_to_match->data, value_to_match->length);
 		s[value_to_match->length] = 0;