Blame SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch

b045b9
From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001
b045b9
From: Mark Reynolds <mreynolds@redhat.com>
b045b9
Date: Thu, 5 Apr 2018 14:52:34 -0400
b045b9
Subject: [PATCH] CVE-2018-1089 - Crash from long search filter
b045b9
b045b9
---
b045b9
 ldap/servers/slapd/filter.c |  8 ++++----
b045b9
 ldap/servers/slapd/util.c   | 10 +++++-----
b045b9
 2 files changed, 9 insertions(+), 9 deletions(-)
b045b9
b045b9
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
b045b9
index 2ac3d2cd8..393a4dcee 100644
b045b9
--- a/ldap/servers/slapd/filter.c
b045b9
+++ b/ldap/servers/slapd/filter.c
b045b9
@@ -472,7 +472,7 @@ get_substring_filter(
b045b9
             f->f_sub_initial = val;
b045b9
             eval = (char *)slapi_escape_filter_value(val, -1);
b045b9
             if (eval) {
b045b9
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
b045b9
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
b045b9
                     fstr_len += (strlen(eval) + 1) * 2;
b045b9
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
b045b9
                 }
b045b9
@@ -486,7 +486,7 @@ get_substring_filter(
b045b9
             charray_add(&f->f_sub_any, val);
b045b9
             eval = (char *)slapi_escape_filter_value(val, -1);
b045b9
             if (eval) {
b045b9
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
b045b9
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
b045b9
                     fstr_len += (strlen(eval) + 1) * 2;
b045b9
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
b045b9
                 }
b045b9
@@ -504,7 +504,7 @@ get_substring_filter(
b045b9
             f->f_sub_final = val;
b045b9
             eval = (char *)slapi_escape_filter_value(val, -1);
b045b9
             if (eval) {
b045b9
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
b045b9
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
b045b9
                     fstr_len += (strlen(eval) + 1) * 2;
b045b9
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
b045b9
                 }
b045b9
@@ -530,7 +530,7 @@ get_substring_filter(
b045b9
     }
b045b9
 
b045b9
     filter_compute_hash(f);
b045b9
-    if (fstr_len < strlen(*fstr) + 3) {
b045b9
+    if (fstr_len <= strlen(*fstr) + 3) {
b045b9
         fstr_len += 3;
b045b9
         *fstr = slapi_ch_realloc(*fstr, fstr_len);
b045b9
     }
b045b9
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
b045b9
index ddb2cc899..cb46efb3d 100644
b045b9
--- a/ldap/servers/slapd/util.c
b045b9
+++ b/ldap/servers/slapd/util.c
b045b9
@@ -161,6 +161,11 @@ do_escape_string(
b045b9
                     break;
b045b9
                 }
b045b9
                 do {
b045b9
+                    if (bufSpace < 4) {
b045b9
+                        memcpy(bufNext, "..", 2);
b045b9
+                        bufNext += 2;
b045b9
+                        goto bail;
b045b9
+                    }
b045b9
                     if (esc == UTIL_ESCAPE_BACKSLASH) {
b045b9
                         /* *s is '\\' */
b045b9
                         /* If *(s+1) and *(s+2) are both hex digits,
b045b9
@@ -179,11 +184,6 @@ do_escape_string(
b045b9
                             *bufNext++ = '\\';
b045b9
                             --bufSpace;
b045b9
                         }
b045b9
-                        if (bufSpace < 3) {
b045b9
-                            memcpy(bufNext, "..", 2);
b045b9
-                            bufNext += 2;
b045b9
-                            goto bail;
b045b9
-                        }
b045b9
                         PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
b045b9
                         bufNext += 2;
b045b9
                         bufSpace -= 2;
b045b9
-- 
b045b9
2.13.6
b045b9