CVE-2019-3824 ldb: wildcard_match end of data check

ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' to the data, to make them safe to use the C string functions on. However testing for the trailing '\0' is not the correct way to test for the end of a value, the length should be checked instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 42f0f57eb819ce6b68a8c5b3b53123b83ec917e3)
author: Gary Lockyer <gary@catalyst.net.nz> 2019-02-19 10:26:56 +1300
committer: Stefan Metzmacher <metze@samba.org> 2019-02-26 13:00:12 +0100
commit: aecd14f8bdc00519c981f17d398df3054fcab9da (patch)
tree: a0ffa1e51c25f6cd30e9d2c91998b5c6e35583d0 /lib
parent: 41fd2cde0c7e422381c7ae62296b1767feec9dcb (diff)
download: samba-aecd14f8bdc00519c981f17d398df3054fcab9da.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 59f48b52b70..829afa77e71 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	}
 
 	/* last chunk may not have reached end of string */
-	if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch;
+	if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch;
 	talloc_free(save_p);
 	*matched = true;
 	return LDB_SUCCESS;
author	Gary Lockyer <gary@catalyst.net.nz>	2019-02-19 10:26:56 +1300
committer	Stefan Metzmacher <metze@samba.org>	2019-02-26 13:00:12 +0100
commit	aecd14f8bdc00519c981f17d398df3054fcab9da (patch)
tree	a0ffa1e51c25f6cd30e9d2c91998b5c6e35583d0 /lib
parent	41fd2cde0c7e422381c7ae62296b1767feec9dcb (diff)
download	samba-aecd14f8bdc00519c981f17d398df3054fcab9da.tar.gz