[Pkg-samba-maint] [samba] 02/19: CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.

[Jelmer Vernooij]

This is an automated email from the git hooks/post-receive script.

jelmer pushed a commit to branch upstream_4.3
in repository samba.

commit 3e7e136f20aa98d35244989b5d4232b11ae8bfcd
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 9 12:42:10 2015 -0700

    CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
---
 lib/ldb/common/ldb_match.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index a493dae..7414289 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -271,6 +271,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 		if (cnk.length > val.length) {
 			goto mismatch;
 		}
+		/*
+		 * Empty strings are returned as length 0. Ensure
+		 * we can cope with this.
+		 */
+		if (cnk.length == 0) {
+			goto mismatch;
+		}
+
 		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
 		val.length -= cnk.length;
 		val.data += cnk.length;
@@ -284,7 +292,13 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 		chunk = tree->u.substring.chunks[c];
 		if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
 
-		/* FIXME: case of embedded nulls */
+		/*
+		 * Empty strings are returned as length 0. Ensure
+		 * we can cope with this.
+		 */
+		if (cnk.length == 0) {
+			goto mismatch;
+		}
 		p = strstr((char *)val.data, (char *)cnk.data);
 		if (p == NULL) goto mismatch;
 		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git