rpms / 389-ds-base

Clone
Source Code
GIT

Files

  1.   3b7e51f48dbafaf941dee8eff338b2b850c4d0b4
  2.   SOURCES
  3.   0077-CVE-2018-1089-Crash-from-long-search-filter.patch
Blob Blame History Raw 
From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 5 Apr 2018 14:52:34 -0400
Subject: [PATCH] CVE-2018-1089 - Crash from long search filter

---
 ldap/servers/slapd/filter.c |  8 ++++----
 ldap/servers/slapd/util.c   | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index 2ac3d2cd8..393a4dcee 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -472,7 +472,7 @@ get_substring_filter(
             f->f_sub_initial = val;
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -486,7 +486,7 @@ get_substring_filter(
             charray_add(&f->f_sub_any, val);
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -504,7 +504,7 @@ get_substring_filter(
             f->f_sub_final = val;
             eval = (char *)slapi_escape_filter_value(val, -1);
             if (eval) {
-                if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+                if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
                     fstr_len += (strlen(eval) + 1) * 2;
                     *fstr = slapi_ch_realloc(*fstr, fstr_len);
                 }
@@ -530,7 +530,7 @@ get_substring_filter(
     }
 
     filter_compute_hash(f);
-    if (fstr_len < strlen(*fstr) + 3) {
+    if (fstr_len <= strlen(*fstr) + 3) {
         fstr_len += 3;
         *fstr = slapi_ch_realloc(*fstr, fstr_len);
     }
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index ddb2cc899..cb46efb3d 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -161,6 +161,11 @@ do_escape_string(
                     break;
                 }
                 do {
+                    if (bufSpace < 4) {
+                        memcpy(bufNext, "..", 2);
+                        bufNext += 2;
+                        goto bail;
+                    }
                     if (esc == UTIL_ESCAPE_BACKSLASH) {
                         /* *s is '\\' */
                         /* If *(s+1) and *(s+2) are both hex digits,
@@ -179,11 +184,6 @@ do_escape_string(
                             *bufNext++ = '\\';
                             --bufSpace;
                         }
-                        if (bufSpace < 3) {
-                            memcpy(bufNext, "..", 2);
-                            bufNext += 2;
-                            goto bail;
-                        }
                         PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
                         bufNext += 2;
                         bufSpace -= 2;
-- 
2.13.6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation