|
 |
b045b9 |
From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001
|
|
|
b045b9 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
b045b9 |
Date: Thu, 5 Apr 2018 14:52:34 -0400
|
|
|
b045b9 |
Subject: [PATCH] CVE-2018-1089 - Crash from long search filter
|
|
|
b045b9 |
|
|
|
b045b9 |
---
|
|
|
b045b9 |
ldap/servers/slapd/filter.c | 8 ++++----
|
|
|
b045b9 |
ldap/servers/slapd/util.c | 10 +++++-----
|
|
|
b045b9 |
2 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
b045b9 |
|
|
|
b045b9 |
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
|
|
|
b045b9 |
index 2ac3d2cd8..393a4dcee 100644
|
|
|
b045b9 |
--- a/ldap/servers/slapd/filter.c
|
|
|
b045b9 |
+++ b/ldap/servers/slapd/filter.c
|
|
|
b045b9 |
@@ -472,7 +472,7 @@ get_substring_filter(
|
|
|
b045b9 |
f->f_sub_initial = val;
|
|
|
b045b9 |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
b045b9 |
if (eval) {
|
|
|
b045b9 |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
b045b9 |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
b045b9 |
}
|
|
|
b045b9 |
@@ -486,7 +486,7 @@ get_substring_filter(
|
|
|
b045b9 |
charray_add(&f->f_sub_any, val);
|
|
|
b045b9 |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
b045b9 |
if (eval) {
|
|
|
b045b9 |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
b045b9 |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
b045b9 |
}
|
|
|
b045b9 |
@@ -504,7 +504,7 @@ get_substring_filter(
|
|
|
b045b9 |
f->f_sub_final = val;
|
|
|
b045b9 |
eval = (char *)slapi_escape_filter_value(val, -1);
|
|
|
b045b9 |
if (eval) {
|
|
|
b045b9 |
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
|
|
|
b045b9 |
fstr_len += (strlen(eval) + 1) * 2;
|
|
|
b045b9 |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
b045b9 |
}
|
|
|
b045b9 |
@@ -530,7 +530,7 @@ get_substring_filter(
|
|
|
b045b9 |
}
|
|
|
b045b9 |
|
|
|
b045b9 |
filter_compute_hash(f);
|
|
|
b045b9 |
- if (fstr_len < strlen(*fstr) + 3) {
|
|
|
b045b9 |
+ if (fstr_len <= strlen(*fstr) + 3) {
|
|
|
b045b9 |
fstr_len += 3;
|
|
|
b045b9 |
*fstr = slapi_ch_realloc(*fstr, fstr_len);
|
|
|
b045b9 |
}
|
|
|
b045b9 |
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
|
|
|
b045b9 |
index ddb2cc899..cb46efb3d 100644
|
|
|
b045b9 |
--- a/ldap/servers/slapd/util.c
|
|
|
b045b9 |
+++ b/ldap/servers/slapd/util.c
|
|
|
b045b9 |
@@ -161,6 +161,11 @@ do_escape_string(
|
|
|
b045b9 |
break;
|
|
|
b045b9 |
}
|
|
|
b045b9 |
do {
|
|
|
b045b9 |
+ if (bufSpace < 4) {
|
|
|
b045b9 |
+ memcpy(bufNext, "..", 2);
|
|
|
b045b9 |
+ bufNext += 2;
|
|
|
b045b9 |
+ goto bail;
|
|
|
b045b9 |
+ }
|
|
|
b045b9 |
if (esc == UTIL_ESCAPE_BACKSLASH) {
|
|
|
b045b9 |
/* *s is '\\' */
|
|
|
b045b9 |
/* If *(s+1) and *(s+2) are both hex digits,
|
|
|
b045b9 |
@@ -179,11 +184,6 @@ do_escape_string(
|
|
|
b045b9 |
*bufNext++ = '\\';
|
|
|
b045b9 |
--bufSpace;
|
|
|
b045b9 |
}
|
|
|
b045b9 |
- if (bufSpace < 3) {
|
|
|
b045b9 |
- memcpy(bufNext, "..", 2);
|
|
|
b045b9 |
- bufNext += 2;
|
|
|
b045b9 |
- goto bail;
|
|
|
b045b9 |
- }
|
|
|
b045b9 |
PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
|
|
|
b045b9 |
bufNext += 2;
|
|
|
b045b9 |
bufSpace -= 2;
|
|
|
b045b9 |
--
|
|
|
b045b9 |
2.13.6
|
|
|
b045b9 |
|