|
 |
96373c |
From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001
|
|
|
96373c |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
96373c |
Date: Thu, 5 Apr 2018 14:52:34 -0400
|
|
|
96373c |
Subject: [PATCH] CVE-2018-1089 - Crash from long search filter
|
|
|
96373c |
|
|
|
96373c |
---
|
|
|
96373c |
ldap/servers/slapd/filter.c | 8 ++++----
|
|
|
96373c |
ldap/servers/slapd/util.c | 10 +++++-----
|
|
|
96373c |
2 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
96373c |
|
|
|
96373c |
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
|
|
|
96373c |
index 2ac3d2cd8..393a4dcee 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/filter.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/filter.c
|
|
|
96373c |
@@ -472,7 +472,7 @@ get_substring_filter(
|
|
|
96373c |
f->f_sub_initial = val;
|
|
|
96373c |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
96373c |
if (eval) {
|
|
|
96373c |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
96373c |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
96373c |
}
|
|
|
96373c |
@@ -486,7 +486,7 @@ get_substring_filter(
|
|
|
96373c |
charray_add(&f->f_sub_any, val);
|
|
|
96373c |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
96373c |
if (eval) {
|
|
|
96373c |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
96373c |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
96373c |
}
|
|
|
96373c |
@@ -504,7 +504,7 @@ get_substring_filter(
|
|
|
96373c |
f->f_sub_final = val;
|
|
|
96373c |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
96373c |
if (eval) {
|
|
|
96373c |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
96373c |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
96373c |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
96373c |
}
|
|
|
96373c |
@@ -530,7 +530,7 @@ get_substring_filter(
|
|
|
96373c |
}
|
|
|
96373c |
|
|
|
96373c |
filter_compute_hash(f);
|
|
|
96373c |
- if (fstr_len < strlen(*fstr) + 3) {
|
|
|
96373c |
+ if (fstr_len <= strlen(*fstr) + 3) {
|
|
|
96373c |
fstr_len += 3;
|
|
|
96373c |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
96373c |
}
|
|
|
96373c |
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
|
|
|
96373c |
index ddb2cc899..cb46efb3d 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/util.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/util.c
|
|
|
96373c |
@@ -161,6 +161,11 @@ do_escape_string(
|
|
|
96373c |
break;
|
|
|
96373c |
}
|
|
|
96373c |
do {
|
|
|
96373c |
+ if (bufSpace < 4) {
|
|
|
96373c |
+ memcpy(bufNext, "..", 2);
|
|
|
96373c |
+ bufNext += 2;
|
|
|
96373c |
+ goto bail;
|
|
|
96373c |
+ }
|
|
|
96373c |
if (esc == UTIL_ESCAPE_BACKSLASH) {
|
|
|
96373c |
/* *s is '\\' */
|
|
|
96373c |
/* If *(s+1) and *(s+2) are both hex digits,
|
|
|
96373c |
@@ -179,11 +184,6 @@ do_escape_string(
|
|
|
96373c |
*bufNext++ = '\\';
|
|
|
96373c |
--bufSpace;
|
|
|
96373c |
}
|
|
|
96373c |
- if (bufSpace < 3) {
|
|
|
96373c |
- memcpy(bufNext, "..", 2);
|
|
|
96373c |
- bufNext += 2;
|
|
|
96373c |
- goto bail;
|
|
|
96373c |
- }
|
|
|
96373c |
PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
|
|
|
96373c |
bufNext += 2;
|
|
|
96373c |
bufSpace -= 2;
|
|
|
96373c |
--
|
|
|
96373c |
2.13.6
|
|
|
96373c |
|