diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-02-04 11:22:34 +1300 |
---|---|---|
committer | Gary Lockyer <gary@samba.org> | 2019-02-25 21:26:11 +0100 |
commit | 745b99fc6b75db33cdb0a58df1a3f2a5063bc76e (patch) | |
tree | c7413ecd2aad88e106f152e5f6f6837261f44f4d /lib | |
parent | 3674b0891afb016c83763520b87e9f190dcfe884 (diff) | |
download | samba-745b99fc6b75db33cdb0a58df1a3f2a5063bc76e.tar.gz |
CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap in wildcard processing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/ldb/common/ldb_match.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index 8eeedfb12e0..1920b661f75 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -306,12 +306,33 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, p = memmem((const void *)val.data,val.length, (const void *)cnk.data, cnk.length); if (p == NULL) goto mismatch; + + /* + * At this point we know cnk.length <= val.length as + * otherwise there could be no match + */ + if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { uint8_t *g; uint8_t *end = val.data + val.length; do { /* greedy */ - g = memmem(p + cnk.length, - end - (p + cnk.length), + + /* + * haystack is a valid pointer in val + * because the memmem() can only + * succeed if the needle (cnk.length) + * is <= haystacklen + * + * p will be a pointer at least + * cnk.length from the end of haystack + */ + uint8_t *haystack + = p + cnk.length; + size_t haystacklen + = end - (haystack); + + g = memmem(haystack, + haystacklen, (const uint8_t *)cnk.data, cnk.length); if (g) p = g; |