Add bounds checking in DN unescape function

My previous patch for bug 504817 could cause us to read past the end of the RDN string if it ended with a single escape character. This fix adds a bounds check to ensure that we don't read past the end of the string.
author: Nathan Kinder <nkinder@redhat.com> 2009-11-18 22:05:57 -0800
committer: Nathan Kinder <nkinder@redhat.com> 2009-11-18 22:05:57 -0800
commit: c177c34eef54e4ef6dc96cd22418a47cbd03789e (patch)
tree: b9eac2d164c63cb946fe77d6e171356c1ea629cb /ldap/servers/slapd/util.c
parent: 5c71f20ebfa08b7f8d86eb57d5a73a8a44f5bb8e (diff)
download: ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.tar.gz
ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.tar.xz
ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index c8d9a744..71a2305b 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -236,8 +236,10 @@ strcpy_unescape_value( char *d, const char *s )
                 }
             }
             /* This is an escaped single character (like \"), so
-             * just copy the special character and not the escape. */
-            if (gotesc) {
+             * just copy the special character and not the escape.
+             * We need to be careful to not go past the end of
+             * the string when the loop increments s. */
+            if (gotesc && (s+1 < end)) {
                 s++;
                 *d++ = *s;
                 gotesc = 0;
author	Nathan Kinder <nkinder@redhat.com>	2009-11-18 22:05:57 -0800
committer	Nathan Kinder <nkinder@redhat.com>	2009-11-18 22:05:57 -0800
commit	c177c34eef54e4ef6dc96cd22418a47cbd03789e (patch)
tree	b9eac2d164c63cb946fe77d6e171356c1ea629cb /ldap/servers/slapd/util.c
parent	5c71f20ebfa08b7f8d86eb57d5a73a8a44f5bb8e (diff)
download	ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.tar.gz ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.tar.xz ds-c177c34eef54e4ef6dc96cd22418a47cbd03789e.zip