[Pkg-samba-maint] [samba] 09/19: CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
Jelmer Vernooij
jelmer at moszumanska.debian.org
Fri Dec 18 13:08:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
jelmer pushed a commit to branch upstream_4.3
in repository samba.
commit d3beacd5c51d5cfaa10ce544bc640b3dc3e66ad7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Nov 26 11:17:11 2015 +1300
CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
That is, memdup(), not strdup(). The terminators might not be there.
But, we have to make sure we put the terminator on, because we tend to
assume the terminator is there in other places.
Use talloc_set_name_const() on the resulting chunk so talloc_report()
remains unchanged.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
Pair-programmed-with: Ralph Boehme <slow at samba.org>
---
lib/ldb/common/ldb_dn.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index a3b8f92..cd17cda 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -586,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
p++;
*d++ = '\0';
- dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
+ dn->components[dn->comp_num].value.data = \
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
dn->components[dn->comp_num].value.length = l;
if ( ! dn->components[dn->comp_num].value.data) {
/* ouch ! */
goto failed;
}
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
+ (const char *)dn->components[dn->comp_num].value.data);
dt = d;
@@ -707,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
*d++ = '\0';
dn->components[dn->comp_num].value.length = l;
dn->components[dn->comp_num].value.data =
- (uint8_t *)talloc_strdup(dn->components, dt);
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
if ( ! dn->components[dn->comp_num].value.data) {
/* ouch */
goto failed;
}
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
+ (const char *)dn->components[dn->comp_num].value.data);
dn->comp_num++;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list