diff options
| author | Jeremy Allison <jra@samba.org> | 2015-06-09 14:00:01 -0700 |
|---|---|---|
| committer | Ralph Boehme <slow@samba.org> | 2015-12-09 17:19:51 +0100 |
| commit | aa6c27148b9d3f8c1e4fdd5dd46bfecbbd0ca465 (patch) | |
| tree | 91a0e2316542eae727eb6d7a205eec62261d30ff /lib | |
| parent | ec504dbf69636a554add1f3d5703dd6c3ad450b8 (diff) | |
| download | samba-aa6c27148b9d3f8c1e4fdd5dd46bfecbbd0ca465.tar.gz | |
CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
Values might have embedded zeros.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ldb/common/ldb_match.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index 7414289b613..182c6ce5720 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -241,7 +241,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, struct ldb_val val; struct ldb_val cnk; struct ldb_val *chunk; - char *p, *g; uint8_t *save_p = NULL; unsigned int c = 0; @@ -288,6 +287,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, } while (tree->u.substring.chunks[c]) { + uint8_t *p; chunk = tree->u.substring.chunks[c]; if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch; @@ -299,15 +299,24 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, if (cnk.length == 0) { goto mismatch; } - p = strstr((char *)val.data, (char *)cnk.data); + /* + * Values might be binary blobs. Don't use string + * search, but memory search instead. + */ + p = memmem((const void *)val.data,val.length, + (const void *)cnk.data, cnk.length); if (p == NULL) goto mismatch; if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { + uint8_t *g; do { /* greedy */ - g = strstr((char *)p + cnk.length, (char *)cnk.data); + g = memmem(p + cnk.length, + val.length - (p - val.data), + (const uint8_t *)cnk.data, + cnk.length); if (g) p = g; } while(g); } - val.length = val.length - (p - (char *)(val.data)) - cnk.length; + val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length; val.data = (uint8_t *)(p + cnk.length); c++; talloc_free(cnk.data); |