From 7bcac237656083e67bbac9b50be9b319bb2d7eb8 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 24 Nov 2015 13:09:36 +1300
Subject: [PATCH 1/1] CVE-2015-5330: ldb_dn_escape_value: use known string
 length, not strlen()

ldb_dn_escape_internal() reports the number of bytes it copied, so
lets use that number, rather than using strlen() and hoping a zero got
in the right place.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 lib/ldb/common/ldb_dn.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 1b8e51e4990..a3b8f921b49 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
 char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 {
 	char *dst;
-
+	size_t len;
 	if (!value.length)
 		return NULL;
 
@@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 		return NULL;
 	}
 
-	ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
-	dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
+	len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
 
+	dst = talloc_realloc(mem_ctx, dst, char, len + 1);
+	if ( ! dst) {
+		talloc_free(dst);
+		return NULL;
+	}
+	dst[len] = '\0';
 	return dst;
 }
 
-- 
2.34.1