From: Jeremy Allison Date: Tue, 9 Jun 2015 21:00:01 +0000 (-0700) Subject: CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search. X-Git-Tag: samba-4.1.22~17 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684 CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search. Values might have embedded zeros. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme --- diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index 8bdb0e19b16..0f5c5b51440 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -240,7 +240,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, struct ldb_val val; struct ldb_val cnk; struct ldb_val *chunk; - char *p, *g; uint8_t *save_p = NULL; unsigned int c = 0; @@ -287,6 +286,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, } while (tree->u.substring.chunks[c]) { + uint8_t *p; chunk = tree->u.substring.chunks[c]; if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch; @@ -298,15 +298,24 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, if (cnk.length == 0) { goto mismatch; } - p = strstr((char *)val.data, (char *)cnk.data); + /* + * Values might be binary blobs. Don't use string + * search, but memory search instead. + */ + p = memmem((const void *)val.data,val.length, + (const void *)cnk.data, cnk.length); if (p == NULL) goto mismatch; if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { + uint8_t *g; do { /* greedy */ - g = strstr((char *)p + cnk.length, (char *)cnk.data); + g = memmem(p + cnk.length, + val.length - (p - val.data), + (const uint8_t *)cnk.data, + cnk.length); if (g) p = g; } while(g); } - val.length = val.length - (p - (char *)(val.data)) - cnk.length; + val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length; val.data = (uint8_t *)(p + cnk.length); c++; talloc_free(cnk.data);