Blame SOURCES/0026-Ticket-47939-Malformed-cookie-for-LDAP-Sync-makes-DS.patch

f92ce9
From fe0ac5946b04d9ff2455692ddb8c0a8b0c91a7c7 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Mon, 3 Nov 2014 16:58:21 -0800
f92ce9
Subject: [PATCH 26/28] Ticket #47939 - Malformed cookie for LDAP Sync makes DS
f92ce9
 crash
f92ce9
f92ce9
Bug Description: If a cookie sent from clients did not have the
f92ce9
expected form: server_signature#client_signature#change_info_number,
f92ce9
a NULL reference triggered a server crash in sync_cookie_isvalid.
f92ce9
f92ce9
Fix Description: If a cookie does not have the expected form,
f92ce9
sync_cookie_parse returns NULL, which prevents the NULL reference
f92ce9
in the server_signature and client_signature.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47939
f92ce9
f92ce9
Reviewed by lkrispen@redhat.com (Thank you, Ludwig!!)
f92ce9
f92ce9
(cherry picked from commit 8f540a6cee09be13430ebe0b983d2affe2863365)
f92ce9
(cherry picked from commit d87202acad6426bee7af8753a0ffe5ad5b3082df)
f92ce9
---
f92ce9
 ldap/servers/plugins/sync/sync_util.c | 33 ++++++++++++++++++++++-----------
f92ce9
 1 file changed, 22 insertions(+), 11 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c
f92ce9
index ef4a3f7..de65b99 100644
f92ce9
--- a/ldap/servers/plugins/sync/sync_util.c
f92ce9
+++ b/ldap/servers/plugins/sync/sync_util.c
f92ce9
@@ -552,21 +552,21 @@ Sync_Cookie *
f92ce9
 sync_cookie_parse (char *cookie)
f92ce9
 {
f92ce9
 	char *p, *q;
f92ce9
-	Sync_Cookie *sc;
f92ce9
+	Sync_Cookie *sc = NULL;
f92ce9
 
f92ce9
 	if (cookie == NULL || *cookie == '\0' ) {
f92ce9
 		return NULL;
f92ce9
 	}
f92ce9
 
f92ce9
+	/* 
f92ce9
+	 * Format of cookie: server_signature#client_signature#change_info_number
f92ce9
+	 * If the cookie is malformed, NULL is returned.
f92ce9
+	 */
f92ce9
 	p = q = cookie;
f92ce9
-	sc = (Sync_Cookie *)slapi_ch_malloc(sizeof(Sync_Cookie));
f92ce9
-
f92ce9
-	sc->cookie_client_signature = NULL;
f92ce9
-	sc->cookie_server_signature = NULL;
f92ce9
-	sc->cookie_change_info = -1;
f92ce9
 	p = strchr(q, '#');
f92ce9
 	if (p) {
f92ce9
 		*p = '\0';
f92ce9
+		sc = (Sync_Cookie *)slapi_ch_calloc(1, sizeof(Sync_Cookie));
f92ce9
 		sc->cookie_server_signature = slapi_ch_strdup(q);
f92ce9
 		q = p + 1;
f92ce9
 		p = strchr(q, '#');
f92ce9
@@ -574,21 +574,32 @@ sync_cookie_parse (char *cookie)
f92ce9
 			*p = '\0';
f92ce9
 			sc->cookie_client_signature = slapi_ch_strdup(q);
f92ce9
 			sc->cookie_change_info = sync_number2int(p+1);
f92ce9
+			if (sc->cookie_change_info < 0) {
f92ce9
+				goto error_return;
f92ce9
+			}
f92ce9
+		} else {
f92ce9
+			goto error_return;
f92ce9
 		}
f92ce9
 	}
f92ce9
-		
f92ce9
 	return (sc);
f92ce9
+error_return:
f92ce9
+	slapi_ch_free_string(&(sc->cookie_client_signature));
f92ce9
+	slapi_ch_free_string(&(sc->cookie_server_signature));
f92ce9
+	slapi_ch_free((void **)&sc);
f92ce9
+	return NULL;
f92ce9
 }
f92ce9
 
f92ce9
 int
f92ce9
 sync_cookie_isvalid (Sync_Cookie *testcookie, Sync_Cookie *refcookie)
f92ce9
 {
f92ce9
 	/* client and server info must match */
f92ce9
-	if (strcmp(testcookie->cookie_client_signature,refcookie->cookie_client_signature) ||
f92ce9
-		strcmp(testcookie->cookie_server_signature,refcookie->cookie_server_signature) || 
f92ce9
-		testcookie->cookie_change_info == -1 || 
f92ce9
-		testcookie->cookie_change_info > refcookie->cookie_change_info )
f92ce9
+	if ((testcookie && refcookie) &&
f92ce9
+		(strcmp(testcookie->cookie_client_signature,refcookie->cookie_client_signature) ||
f92ce9
+		 strcmp(testcookie->cookie_server_signature,refcookie->cookie_server_signature) ||
f92ce9
+		 testcookie->cookie_change_info == -1 ||
f92ce9
+		 testcookie->cookie_change_info > refcookie->cookie_change_info)) {
f92ce9
 		return (0);
f92ce9
+	}
f92ce9
 	/* could add an additional check if the requested state in client cookie is still
f92ce9
 	 * available. Accept any state request for now.
f92ce9
 	 */
f92ce9
-- 
f92ce9
1.9.3
f92ce9