|
|
61f723 |
From 040c492b4beb0efcd34b8420f682187441767055 Mon Sep 17 00:00:00 2001
|
|
|
61f723 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
61f723 |
Date: Tue, 16 Jan 2018 09:46:49 -0500
|
|
|
61f723 |
Subject: [PATCH] CVE-2017-15134 389-ds-base: Remote DoS via search filters in
|
|
|
61f723 |
slapi_filter_sprintf
|
|
|
a66391 |
|
|
|
61f723 |
Description: Improper handling of a search filter in slapi_filter_sprintf
|
|
|
61f723 |
in slapd/util.c can lead to remote server crash and denial
|
|
|
61f723 |
of service.
|
|
|
61f723 |
|
|
|
61f723 |
https://bugzilla.redhat.com/show_bug.cgi?id=1529117
|
|
|
a66391 |
---
|
|
|
a66391 |
ldap/servers/slapd/util.c | 36 +++++++++++++++++++++++++++++++-----
|
|
|
a66391 |
1 file changed, 31 insertions(+), 5 deletions(-)
|
|
|
a66391 |
|
|
|
a66391 |
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
|
|
|
61f723 |
index 4ff6d4141..ffeeff6f3 100644
|
|
|
a66391 |
--- a/ldap/servers/slapd/util.c
|
|
|
a66391 |
+++ b/ldap/servers/slapd/util.c
|
|
|
61f723 |
@@ -224,9 +224,10 @@ escape_string_for_filename(const char *str, char buf[BUFSIZ])
|
|
|
61f723 |
|
|
|
61f723 |
struct filter_ctx {
|
|
|
61f723 |
char *buf;
|
|
|
61f723 |
- char attr[ATTRSIZE];
|
|
|
61f723 |
+ char *attr;
|
|
|
61f723 |
int attr_position;
|
|
|
61f723 |
int attr_found;
|
|
|
61f723 |
+ size_t attr_size;
|
|
|
61f723 |
int buf_size;
|
|
|
61f723 |
int buf_len;
|
|
|
61f723 |
int next_arg_needs_esc_norm;
|
|
|
61f723 |
@@ -265,7 +266,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
|
|
|
a66391 |
* Start collecting the attribute name so we can use the correct
|
|
|
a66391 |
* syntax normalization func.
|
|
|
a66391 |
*/
|
|
|
61f723 |
- if(ctx->attr_found == 0 && ctx->attr_position < (ATTRSIZE - 1)){
|
|
|
61f723 |
+ if(ctx->attr_found == 0 && ctx->attr_position < (ctx->attr_size - 1)) {
|
|
|
61f723 |
if(ctx->attr[0] == '\0'){
|
|
|
61f723 |
if(strstr(val,"=")){
|
|
|
a66391 |
/* we have an attr we need to record */
|
|
|
61f723 |
@@ -279,6 +280,14 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
|
|
|
a66391 |
* attr with val. The next pass should be '=', otherwise we will
|
|
|
a66391 |
* reset it.
|
|
|
a66391 |
*/
|
|
|
a66391 |
+ if (slen > ctx->attr_size) {
|
|
|
a66391 |
+ if (ctx->attr_size == ATTRSIZE) {
|
|
|
a66391 |
+ ctx->attr = slapi_ch_calloc(sizeof(char), slen+1);
|
|
|
a66391 |
+ } else {
|
|
|
a66391 |
+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (slen+1));
|
|
|
a66391 |
+ }
|
|
|
a66391 |
+ ctx->attr_size = slen+1;
|
|
|
a66391 |
+ }
|
|
|
a66391 |
memcpy(ctx->attr, val, slen);
|
|
|
a66391 |
ctx->attr_position = slen;
|
|
|
a66391 |
}
|
|
|
61f723 |
@@ -288,9 +297,20 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
|
|
|
a66391 |
} else {
|
|
|
61f723 |
if(special_attr_char(val[0])){
|
|
|
a66391 |
/* this is not an attribute, we should not be collecting this, reset everything */
|
|
|
a66391 |
- memset(ctx->attr, '\0', ATTRSIZE);
|
|
|
a66391 |
+ memset(ctx->attr, '\0', ctx->attr_size);
|
|
|
a66391 |
ctx->attr_position = 0;
|
|
|
a66391 |
} else {
|
|
|
a66391 |
+ /* we can be adding char by char and overrun allocated size */
|
|
|
a66391 |
+ if (ctx->attr_position >= ctx->attr_size) {
|
|
|
a66391 |
+ if (ctx->attr_size == ATTRSIZE) {
|
|
|
a66391 |
+ char *ctxattr = slapi_ch_calloc(sizeof(char), ctx->attr_size + ATTRSIZE);
|
|
|
a66391 |
+ memcpy(ctxattr, ctx->attr, ctx->attr_size);
|
|
|
a66391 |
+ ctx->attr = ctxattr;
|
|
|
a66391 |
+ } else {
|
|
|
a66391 |
+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (ctx->attr_size + ATTRSIZE));
|
|
|
a66391 |
+ }
|
|
|
a66391 |
+ ctx->attr_size = ctx->attr_size + ATTRSIZE;
|
|
|
a66391 |
+ }
|
|
|
a66391 |
memcpy(ctx->attr + ctx->attr_position, val, 1);
|
|
|
a66391 |
ctx->attr_position++;
|
|
|
a66391 |
}
|
|
|
61f723 |
@@ -363,7 +383,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
|
|
|
a66391 |
ctx->next_arg_needs_esc_norm = 0;
|
|
|
a66391 |
ctx->attr_found = 0;
|
|
|
a66391 |
ctx->attr_position = 0;
|
|
|
a66391 |
- memset(ctx->attr, '\0', ATTRSIZE);
|
|
|
a66391 |
+ memset(ctx->attr, '\0', ctx->attr_size);
|
|
|
a66391 |
slapi_ch_free_string(&buf;;
|
|
|
a66391 |
|
|
|
a66391 |
return filter_len;
|
|
|
61f723 |
@@ -402,13 +422,15 @@ slapi_filter_sprintf(const char *fmt, ...)
|
|
|
a66391 |
{
|
|
|
a66391 |
struct filter_ctx ctx = {0};
|
|
|
a66391 |
va_list args;
|
|
|
a66391 |
+ char attr_static[ATTRSIZE] = {0};
|
|
|
a66391 |
char *buf;
|
|
|
a66391 |
int rc;
|
|
|
a66391 |
|
|
|
a66391 |
buf = slapi_ch_calloc(sizeof(char), FILTER_BUF + 1);
|
|
|
a66391 |
ctx.buf = buf;
|
|
|
61f723 |
- memset(ctx.attr,'\0', ATTRSIZE);
|
|
|
61f723 |
ctx.attr_position = 0;
|
|
|
a66391 |
+ ctx.attr = attr_static;
|
|
|
a66391 |
+ ctx.attr_size = ATTRSIZE;
|
|
|
a66391 |
ctx.attr_found = 0;
|
|
|
a66391 |
ctx.buf_len = FILTER_BUF;
|
|
|
61f723 |
ctx.buf_size = 0;
|
|
|
61f723 |
@@ -424,6 +446,10 @@ slapi_filter_sprintf(const char *fmt, ...)
|
|
|
a66391 |
}
|
|
|
a66391 |
va_end(args);
|
|
|
a66391 |
|
|
|
a66391 |
+ if (ctx.attr_size > ATTRSIZE) {
|
|
|
a66391 |
+ slapi_ch_free_string(&ctx.attr);
|
|
|
a66391 |
+ }
|
|
|
a66391 |
+
|
|
|
a66391 |
return ctx.buf;
|
|
|
a66391 |
}
|
|
|
a66391 |
|
|
|
a66391 |
--
|
|
|
a66391 |
2.13.6
|
|
|
a66391 |
|