From b80f66f803554d25352413c24889a5f8fadef6d3 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Mon, 29 Mar 2021 13:03:45 +1300 Subject: ldb-samba: dns tombstone matching: constrict value length We know the only values we want to see are uint32, ie < ~4 billion (and real values will be 7 digits for hundreds of years). We also know the caller (we have just checked) is a trusted system session which won't be padding the thing with spaces. But if they do, let's call them out. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- lib/ldb-samba/ldb_matching_rules.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c index 73d957df3d9..827f3920ae8 100644 --- a/lib/ldb-samba/ldb_matching_rules.c +++ b/lib/ldb-samba/ldb_matching_rules.c @@ -336,7 +336,9 @@ static int ldb_comparator_trans(struct ldb_context *ldb, * * This allows a search filter such as: * - * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=131139216000000000 + * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=3694869 + * + * where the value is a number of hours since the start of 1601. * * This allows the caller to find records that should become a DNS * tomestone, despite that information being deep within an NDR packed @@ -380,13 +382,13 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb, return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } - /* Just check we don't allow the caller to fill our stack */ - if (value_to_match->length >= 64) { + /* We only expect uint32_t <= 10 digits */ + if (value_to_match->length >= 12) { DBG_ERR("Invalid timestamp passed\n"); return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } else { int error = 0; - char s[65]; + char s[12]; memcpy(s, value_to_match->data, value_to_match->length); s[value_to_match->length] = 0; -- cgit v1.2.1