From aecd14f8bdc00519c981f17d398df3054fcab9da Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 19 Feb 2019 10:26:56 +1300 Subject: CVE-2019-3824 ldb: wildcard_match end of data check ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' to the data, to make them safe to use the C string functions on. However testing for the trailing '\0' is not the correct way to test for the end of a value, the length should be checked instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett (cherry picked from commit 42f0f57eb819ce6b68a8c5b3b53123b83ec917e3) --- lib/ldb/common/ldb_match.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index 59f48b52b70..829afa77e71 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, } /* last chunk may not have reached end of string */ - if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch; + if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch; talloc_free(save_p); *matched = true; return LDB_SUCCESS; -- cgit v1.2.1