CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap in wildcard processing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

1 files changed, 23 insertions, 2 deletions

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 8eeedfb12e0..1920b661f75 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -306,12 +306,33 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 		p = memmem((const void *)val.data,val.length,
 			   (const void *)cnk.data, cnk.length);
 		if (p == NULL) goto mismatch;
+
+		/*
+		 * At this point we know cnk.length <= val.length as
+		 * otherwise there could be no match
+		 */
+
 		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
 			uint8_t *g;
 			uint8_t *end = val.data + val.length;
 			do { /* greedy */
-				g = memmem(p + cnk.length,
-					end - (p + cnk.length),
+
+				/*
+				 * haystack is a valid pointer in val
+				 * because the memmem() can only
+				 * succeed if the needle (cnk.length)
+				 * is <= haystacklen
+				 *
+				 * p will be a pointer at least
+				 * cnk.length from the end of haystack
+				 */
+				uint8_t *haystack
+					= p + cnk.length;
+				size_t haystacklen
+					= end - (haystack);
+
+				g = memmem(haystack,
+					   haystacklen,
 					(const uint8_t *)cnk.data,
 					cnk.length);
 				if (g) p = g;