ldap/servers/slapd/ldaputil.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
New commits:
commit 8c17df640eda4ef5b8f15b2f01c8b169db73f7a0
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Nov 19 14:16:31 2015 +1000
Ticket 48351 - Fix buffer overflow error when reading url with len 0
https://fedorahosted.org/389/ticket/48351
Bug Description: In ldaputil.c it's possible to have url_to_use with a len of 0
This means we are reading from an undefined area of memory.
Fix Description: Check len before the smprintf, and if 0, then provide a
a default of "/" which matches the theoretical behaviour of the format. We
also
have a stronger check to prevent NULL from being passed as a URL to validate.
Author: wibrown
Review by: nhosoi, mreynolds (Thanks!)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 8289dd7..9281e20 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -256,6 +256,10 @@ slapi_ldap_url_parse(const char *url, LDAPURLDesc **ludpp, int
require_dn, int *
PR_ASSERT(url);
PR_ASSERT(ludpp);
int rc;
+ /* This blocks NULL getting to strlen via url_to_use later in the function. */
+ if (url == NULL) {
+ return LDAP_PARAM_ERROR;
+ }
const char *url_to_use = url;
#if defined(USE_OPENLDAP)
char *urlescaped = NULL;
@@ -339,7 +343,13 @@ slapi_ldap_url_parse(const char *url, LDAPURLDesc **ludpp, int
require_dn, int *
as the DN (adding a trailing / first if needed) and try to parse
again
*/
- char *urlcopy = slapi_ch_smprintf("%s%s%s", url_to_use,
(url_to_use[len-1] == '/' ? "" : "/"), "");
+ char *urlcopy;
+ if (len > 0) {
+ urlcopy = slapi_ch_smprintf("%s%s%s", url_to_use,
(url_to_use[len-1] == '/' ? "" : "/"), "");
+ } else {
+ /* When len == 0, this is effectively what we create ... */
+ urlcopy = slapi_ch_smprintf("/");
+ }
if (*ludpp) {
ldap_free_urldesc(*ludpp); /* free the old one, if any */
}