diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-09-29 04:45:15 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:20:26 -0500 |
commit | 31454d2e8b70f7aca87099dba25abe790781c7a7 (patch) | |
tree | d78b19f48d999df4ec5f475c91fff16d883ecf44 | |
parent | 736e797983d8fa5bd7467a1d47bd137290abb478 (diff) | |
download | samba-31454d2e8b70f7aca87099dba25abe790781c7a7.tar.gz samba-31454d2e8b70f7aca87099dba25abe790781c7a7.tar.bz2 samba-31454d2e8b70f7aca87099dba25abe790781c7a7.zip |
r18989: Fixes found by these two LDAP testsuites:
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
- http://gleg.net/protover_ldap_sample.shtml
Also fixes found by a subsequent audit of the code for similar issues.
(This used to be commit 441a4f6262459dabfefd9bb12622ada9c007a60c)
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 4 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap.c | 25 | ||||
-rw-r--r-- | source4/libcli/util/asn1.c | 23 |
3 files changed, 47 insertions, 5 deletions
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index e8e3e293b7..3cd1f1c58a 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -220,6 +220,10 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) scope = LDB_SCOPE_SUBTREE; success_limit = 0; break; + default: + result = LDAP_PROTOCOL_ERROR; + errstr = "Invalid scope"; + break; } if (req->num_attributes >= 1) { diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c index 6a0b86f78b..5a7174b41d 100644 --- a/source4/libcli/ldap/ldap.c +++ b/source4/libcli/ldap/ldap.c @@ -949,8 +949,14 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg) r->mechanism = LDAP_AUTH_MECH_SIMPLE; asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0)); pwlen = asn1_tag_remaining(data); + if (pwlen == -1) { + return False; + } if (pwlen != 0) { char *pw = talloc_size(msg, pwlen+1); + if (!pw) { + return False; + } asn1_read(data, pw, pwlen); pw[pwlen] = '\0'; r->creds.password = pw; @@ -974,6 +980,9 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg) r->creds.SASL.secblob = NULL; } asn1_end_tag(data); + } else { + /* Neither Simple nor SASL bind */ + return False; } asn1_end_tag(data); break; @@ -1096,8 +1105,9 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg) ldap_decode_attrib(msg, data, &mod.attrib); asn1_end_tag(data); if (!add_mod_to_array_talloc(msg, &mod, - &r->mods, &r->num_mods)) - break; + &r->mods, &r->num_mods)) { + return False; + } } asn1_end_tag(data); @@ -1146,6 +1156,9 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg) asn1_start_tag(data, ASN1_APPLICATION_SIMPLE(LDAP_TAG_DelRequest)); len = asn1_tag_remaining(data); + if (len == -1) { + return False; + } dn = talloc_size(msg, len+1); if (dn == NULL) break; @@ -1179,9 +1192,13 @@ BOOL ldap_decode(struct asn1_data *data, struct ldap_message *msg) char *newsup; asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0)); len = asn1_tag_remaining(data); + if (len == -1) { + return False; + } newsup = talloc_size(msg, len+1); - if (newsup == NULL) - break; + if (newsup == NULL) { + return False; + } asn1_read(data, newsup, len); newsup[len] = '\0'; r->newsuperior = newsup; diff --git a/source4/libcli/util/asn1.c b/source4/libcli/util/asn1.c index db3f7823fa..01c869dc17 100644 --- a/source4/libcli/util/asn1.c +++ b/source4/libcli/util/asn1.c @@ -396,6 +396,9 @@ BOOL asn1_start_tag(struct asn1_data *data, uint8_t tag) nesting->start = data->ofs; nesting->next = data->nesting; data->nesting = nesting; + if (asn1_tag_remaining(data) == -1) { + return False; + } return !data->has_error; } @@ -426,11 +429,21 @@ BOOL asn1_end_tag(struct asn1_data *data) /* work out how many bytes are left in this nested tag */ int asn1_tag_remaining(struct asn1_data *data) { + int remaining; + if (data->has_error) { + return -1; + } + if (!data->nesting) { data->has_error = True; return -1; } - return data->nesting->taglen - (data->ofs - data->nesting->start); + remaining = data->nesting->taglen - (data->ofs - data->nesting->start); + if (remaining > (data->length - data->ofs)) { + data->has_error = True; + return -1; + } + return remaining; } /* read an object ID from a ASN1 buffer */ @@ -518,6 +531,10 @@ BOOL asn1_read_OctetString(struct asn1_data *data, DATA_BLOB *blob) return False; } *blob = data_blob(NULL, len+1); + if (!blob->data) { + data->has_error = True; + return False; + } asn1_read(data, blob->data, len); asn1_end_tag(data); blob->length--; @@ -542,6 +559,10 @@ BOOL asn1_read_ContextSimple(struct asn1_data *data, uint8_t num, DATA_BLOB *blo return False; } *blob = data_blob(NULL, len); + if (!blob->data) { + data->has_error = True; + return False; + } asn1_read(data, blob->data, len); asn1_end_tag(data); return !data->has_error; |