From 4016cfcab7bfb3ffd48a7592fa16952688525493 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Aug 2008 12:51:06 +1000
Subject: Don't allow a NULL syntax (This used to be commit
 505a0c2b702b696b91dab683626bb25b14a49c38)

---
 source4/lib/ldb/common/ldb_attributes.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source4/lib/ldb/common')

diff --git a/source4/lib/ldb/common/ldb_attributes.c b/source4/lib/ldb/common/ldb_attributes.c
index 3b9d01682c..747f241781 100644
--- a/source4/lib/ldb/common/ldb_attributes.c
+++ b/source4/lib/ldb/common/ldb_attributes.c
@@ -51,6 +51,10 @@ int ldb_schema_attribute_add_with_syntax(struct ldb_context *ldb,
 	int i, n;
 	struct ldb_schema_attribute *a;
 
+	if (!syntax) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
 	n = ldb->schema.num_attributes + 1;
 
 	a = talloc_realloc(ldb, ldb->schema.attributes,
-- 
cgit 


From 4ad97a1d0593b3401a352407009a99ead23f21f2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Aug 2008 19:24:58 +1000
Subject: Don't walk past the end of ldb values.

This is a partial fix towards bugs due to us walking past the end of
what we think are strings in ldb.  There is much more work to do in
this area.

Andrew Bartlett
(This used to be commit 5805a9a8f35fd90fa4f718f73534817fa3bbdfd2)
---
 source4/lib/ldb/common/ldb_dn.c  | 23 ++++++++++++++++-------
 source4/lib/ldb/common/ldb_msg.c |  6 +++---
 2 files changed, 19 insertions(+), 10 deletions(-)

(limited to 'source4/lib/ldb/common')

diff --git a/source4/lib/ldb/common/ldb_dn.c b/source4/lib/ldb/common/ldb_dn.c
index 08911344b7..c0d36cfbf3 100644
--- a/source4/lib/ldb/common/ldb_dn.c
+++ b/source4/lib/ldb/common/ldb_dn.c
@@ -71,7 +71,7 @@ struct ldb_dn {
 };
 
 /* strdn may be NULL */
-struct ldb_dn *ldb_dn_new(void *mem_ctx, struct ldb_context *ldb, const char *strdn)
+struct ldb_dn *ldb_dn_from_ldb_val(void *mem_ctx, struct ldb_context *ldb, const struct ldb_val *strdn)
 {
 	struct ldb_dn *dn;
 
@@ -82,27 +82,27 @@ struct ldb_dn *ldb_dn_new(void *mem_ctx, struct ldb_context *ldb, const char *st
 
 	dn->ldb = ldb;
 
-	if (strdn) {
-		if (strdn[0] == '@') {
+	if (strdn->data && strdn->length) {
+		if (strdn->data[0] == '@') {
 			dn->special = true;
 		}
-		if (strncasecmp(strdn, "<GUID=", 6) == 0) {
+		if (strdn->length >= 6 && strncasecmp((const char *)strdn->data, "<GUID=", 6) == 0) {
 			/* this is special DN returned when the
 			 * exploded_dn control is used */
 			dn->special = true;
 			/* FIXME: add a GUID string to ldb_dn structure */
-		} else if (strncasecmp(strdn, "<SID=", 8) == 0) {
+		} else if (strdn->length >= 8 && strncasecmp((const char *)strdn->data, "<SID=", 8) == 0) {
 			/* this is special DN returned when the
 			 * exploded_dn control is used */
 			dn->special = true;
 			/* FIXME: add a SID string to ldb_dn structure */
-		} else if (strncasecmp(strdn, "<WKGUID=", 8) == 0) {
+		} else if (strdn->length >= 8 && strncasecmp((const char *)strdn->data, "<WKGUID=", 8) == 0) {
 			/* this is special DN returned when the
 			 * exploded_dn control is used */
 			dn->special = true;
 			/* FIXME: add a WKGUID string to ldb_dn structure */
 		}
-		dn->linearized = talloc_strdup(dn, strdn);
+		dn->linearized = talloc_strndup(dn, (const char *)strdn->data, strdn->length);
 	} else {
 		dn->linearized = talloc_strdup(dn, "");
 	}
@@ -115,6 +115,15 @@ failed:
 	return NULL;
 }
 
+/* strdn may be NULL */
+struct ldb_dn *ldb_dn_new(void *mem_ctx, struct ldb_context *ldb, const char *strdn)
+{
+	struct ldb_val blob;
+	blob.data = strdn;
+	blob.length = strdn ? strlen(strdn) : 0;
+	return ldb_dn_from_ldb_val(mem_ctx, ldb, &blob);
+}
+
 struct ldb_dn *ldb_dn_new_fmt(void *mem_ctx, struct ldb_context *ldb, const char *new_fmt, ...)
 {
 	struct ldb_dn *dn;
diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index c1ea9db56b..2f5fe1d18c 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -389,10 +389,10 @@ int ldb_msg_find_attr_as_bool(const struct ldb_message *msg,
 	if (!v || !v->data) {
 		return default_value;
 	}
-	if (strcasecmp((const char *)v->data, "FALSE") == 0) {
+	if (v->length == 5 && strncasecmp((const char *)v->data, "FALSE", 5) == 0) {
 		return 0;
 	}
-	if (strcasecmp((const char *)v->data, "TRUE") == 0) {
+	if (v->length == 4 && strncasecmp((const char *)v->data, "TRUE", 4) == 0) {
 		return 1;
 	}
 	return default_value;
@@ -421,7 +421,7 @@ struct ldb_dn *ldb_msg_find_attr_as_dn(struct ldb_context *ldb,
 	if (!v || !v->data) {
 		return NULL;
 	}
-	res_dn = ldb_dn_new(mem_ctx, ldb, (const char *)v->data);
+	res_dn = ldb_dn_from_ldb_val(mem_ctx, ldb, v);
 	if ( ! ldb_dn_validate(res_dn)) {
 		talloc_free(res_dn);
 		return NULL;
-- 
cgit 


From cc43037f19056ed24d7fffa54456d597c63ad105 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 22 Aug 2008 17:36:56 +1000
Subject: fixed a problem with length limited ldap values

The core ldb code for string matching assumed NULL terminated strings,
whereas the anr module used data_blob_const() to effectively truncate
a ldb_val by changing its length. The ldb code is supposed to be based
around length limited blobs, not NULL terminated strings, so the
correct fix was to change the string comparison functions to be length
limited
(This used to be commit 26c6aa5a80ffaf06fc33f30a6533f8f16ef538bc)
---
 source4/lib/ldb/common/attrib_handlers.c | 27 +++++++++++++++++----------
 source4/lib/ldb/common/ldb_utf8.c        | 12 ++++++------
 2 files changed, 23 insertions(+), 16 deletions(-)

(limited to 'source4/lib/ldb/common')

diff --git a/source4/lib/ldb/common/attrib_handlers.c b/source4/lib/ldb/common/attrib_handlers.c
index 8ed2763d4d..fb57e2dadc 100644
--- a/source4/lib/ldb/common/attrib_handlers.c
+++ b/source4/lib/ldb/common/attrib_handlers.c
@@ -55,11 +55,12 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
 {
 	char *s, *t;
 	int l;
+
 	if (!in || !out || !(in->data)) {
 		return -1;
 	}
 
-	out->data = (uint8_t *)ldb_casefold(ldb, mem_ctx, (const char *)(in->data));
+	out->data = (uint8_t *)ldb_casefold(ldb, mem_ctx, (const char *)(in->data), in->length);
 	if (out->data == NULL) {
 		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_handler_fold: unable to casefold string [%s]", in->data);
 		return -1;
@@ -153,13 +154,14 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
 			       const struct ldb_val *v1, const struct ldb_val *v2)
 {
 	const char *s1=(const char *)v1->data, *s2=(const char *)v2->data;
+	size_t n1 = v1->length, n2 = v2->length;
 	const char *u1, *u2;
 	char *b1, *b2;
 	int ret;
-	while (*s1 == ' ') s1++;
-	while (*s2 == ' ') s2++;
+	while (*s1 == ' ' && n1) { s1++; n1--; };
+	while (*s2 == ' ' && n2) { s2++; n2--; };
 	/* TODO: make utf8 safe, possibly with helper function from application */
-	while (*s1 && *s2) {
+	while (*s1 && *s2 && n1 && n2) {
 		/* the first 127 (0x7F) chars are ascii and utf8 guarantes they
 		 * never appear in multibyte sequences */
 		if (((unsigned char)s1[0]) & 0x80) goto utf8str;
@@ -167,10 +169,11 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
 		if (toupper((unsigned char)*s1) != toupper((unsigned char)*s2))
 			break;
 		if (*s1 == ' ') {
-			while (s1[0] == s1[1]) s1++;
-			while (s2[0] == s2[1]) s2++;
+			while (s1[0] == s1[1] && n1) { s1++; n1--; }
+			while (s2[0] == s2[1] && n2) { s2++; n2--; }
 		}
 		s1++; s2++;
+		n1--; n2--;
 	}
 	if (! (*s1 && *s2)) {
 		/* check for trailing spaces only if one of the pointers
@@ -178,15 +181,18 @@ int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
 		 * can mistakenly match.
 		 * ex. "domain users" <-> "domainUpdates"
 		 */
-		while (*s1 == ' ') s1++;
-		while (*s2 == ' ') s2++;
+		while (*s1 == ' ') { s1++; n1--; }
+		while (*s2 == ' ') { s2++; n2--; }
+	}
+	if (n1 != n2) {
+		return n1 - n2;
 	}
 	return (int)(toupper(*s1)) - (int)(toupper(*s2));
 
 utf8str:
 	/* no need to recheck from the start, just from the first utf8 char found */
-	b1 = ldb_casefold(ldb, mem_ctx, s1);
-	b2 = ldb_casefold(ldb, mem_ctx, s2);
+	b1 = ldb_casefold(ldb, mem_ctx, s1, n1);
+	b2 = ldb_casefold(ldb, mem_ctx, s2, n2);
 
 	if (b1 && b2) {
 		/* Both strings converted correctly */
@@ -221,6 +227,7 @@ utf8str:
 	return ret;
 }
 
+
 /*
   canonicalise a attribute in DN format
 */
diff --git a/source4/lib/ldb/common/ldb_utf8.c b/source4/lib/ldb/common/ldb_utf8.c
index b7b4a60122..69ee2b6964 100644
--- a/source4/lib/ldb/common/ldb_utf8.c
+++ b/source4/lib/ldb/common/ldb_utf8.c
@@ -40,8 +40,8 @@
   function to handle utf8 caseless comparisons
  */
 void ldb_set_utf8_fns(struct ldb_context *ldb,
-			void *context,
-			char *(*casefold)(void *, void *, const char *))
+		      void *context,
+		      char *(*casefold)(void *, void *, const char *, size_t))
 {
 	if (context)
 		ldb->utf8_fns.context = context;
@@ -53,10 +53,10 @@ void ldb_set_utf8_fns(struct ldb_context *ldb,
   a simple case folding function
   NOTE: does not handle UTF8
 */
-char *ldb_casefold_default(void *context, void *mem_ctx, const char *s)
+char *ldb_casefold_default(void *context, void *mem_ctx, const char *s, size_t n)
 {
 	int i;
-	char *ret = talloc_strdup(mem_ctx, s);
+	char *ret = talloc_strndup(mem_ctx, s, n);
 	if (!s) {
 		errno = ENOMEM;
 		return NULL;
@@ -72,9 +72,9 @@ void ldb_set_utf8_default(struct ldb_context *ldb)
 	ldb_set_utf8_fns(ldb, NULL, ldb_casefold_default);
 }
 
-char *ldb_casefold(struct ldb_context *ldb, void *mem_ctx, const char *s)
+char *ldb_casefold(struct ldb_context *ldb, void *mem_ctx, const char *s, size_t n)
 {
-	return ldb->utf8_fns.casefold(ldb->utf8_fns.context, mem_ctx, s);
+	return ldb->utf8_fns.casefold(ldb->utf8_fns.context, mem_ctx, s, n);
 }
 
 /*
-- 
cgit