From 44c6372830d314f8de0acb6b5b1e245ff30eaba2 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 6 Dec 2017 15:14:57 +0100 Subject: [PATCH] Ticket 49471 - heap-buffer-overflow in ss_unescape Bug Description: Two problems here - when searching for wildcard and escape char, ss_unescape assumes the string is at least 3 chars longs. So memcmp can overflow a shorter string - while splitting a string into substring pattern, it loops over wildcard and can overpass the string end Fix Description: For the first problem, it checks the string size is long enough to memcmp a wildcard or an escape For the second it exits from the loop as soon as the end of the string is reached https://pagure.io/389-ds-base/issue/49471 Reviewed by: ? Platforms tested: F23 Flag Day: no Doc impact: no --- ldap/servers/plugins/collation/orfilter.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c index 5a2d8a0..8c542f1 100644 --- a/ldap/servers/plugins/collation/orfilter.c +++ b/ldap/servers/plugins/collation/orfilter.c @@ -313,12 +313,12 @@ ss_unescape(struct berval *val) char *t = s; char *limit = s + val->bv_len; while (s < limit) { - if (!memcmp(s, "\\2a", 3) || - !memcmp(s, "\\2A", 3)) { + if (((limit - s) >= 3) && + (!memcmp(s, "\\2a", 3) || !memcmp(s, "\\2A", 3))) { *t++ = WILDCARD; s += 3; - } else if (!memcmp(s, "\\5c", 3) || - !memcmp(s, "\\5C", 3)) { + } else if ((limit - s) >= 3 && + (!memcmp(s, "\\5c", 3) || !memcmp(s, "\\5C", 3))) { *t++ = '\\'; s += 3; } else { @@ -409,13 +409,14 @@ ss_filter_values(struct berval *pattern, int *query_op) switch (*p) { case WILDCARD: result[n++] = ss_filter_value(s, p - s, &val); - while (++p != plimit && *p == WILDCARD) - ; + while (p != plimit && *p == WILDCARD) p++; s = p; break; default: break; } + if (p >= plimit) + break; } if (p != s || s == plimit) { result[n++] = ss_filter_value(s, p - s, &val); -- 2.5.5