CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators

author Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Wed, 25 Nov 2015 22:17:11 +0000 (11:17 +1300)

committer Ralph Boehme <slow@samba.org>

Wed, 9 Dec 2015 16:19:53 +0000 (17:19 +0100)
author Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Wed, 25 Nov 2015 22:17:11 +0000 (11:17 +1300)
committer Ralph Boehme <slow@samba.org>
Wed, 9 Dec 2015 16:19:53 +0000 (17:19 +0100)
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c

index 6f9903e3e65de68b9624ffb19cd09f02cdbf3225..dfd3b5844cf04dedd7555017ec158c2ab7f0f1b5 100644 (file)
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -586,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
  
                                 p++;
                                 *d++ = '\0';
-                               dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
+                               dn->components[dn->comp_num].value.data = \
+                                       (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
                                 dn->components[dn->comp_num].value.length = l;
                                 if ( ! dn->components[dn->comp_num].value.data) {
                                         /* ouch ! */
                                         goto failed;
                                 }
+                               talloc_set_name_const(dn->components[dn->comp_num].value.data,
+                                                     (const char *)dn->components[dn->comp_num].value.data);
  
                                 dt = d;
  
@@ -707,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
         *d++ = '\0';
         dn->components[dn->comp_num].value.length = l;
         dn->components[dn->comp_num].value.data =
-                               (uint8_t *)talloc_strdup(dn->components, dt);
+               (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
         if ( ! dn->components[dn->comp_num].value.data) {
                 /* ouch */
                 goto failed;
         }
+       talloc_set_name_const(dn->components[dn->comp_num].value.data,
+                             (const char *)dn->components[dn->comp_num].value.data);
  
         dn->comp_num++;
author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Wed, 25 Nov 2015 22:17:11 +0000 (11:17 +1300)
committer	Ralph Boehme <slow@samba.org>
	Wed, 9 Dec 2015 16:19:53 +0000 (17:19 +0100)