From 85a1c62c942033f6e1b864aeb4fd72c4a8b3d38a Mon Sep 17 00:00:00 2001

From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Date: Tue, 24 Nov 2015 13:09:36 +1300

Subject: [PATCH 4/9] CVE-2015-5330: ldb_dn_escape_value: use known string

 length, not strlen()

ldb_dn_escape_internal() reports the number of bytes it copied, so

lets use that number, rather than using strlen() and hoping a zero got

in the right place.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

---

 lib/ldb/common/ldb_dn.c | 12 ++++++++----

 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c

index 1b8e51e..a3b8f92 100644

--- a/lib/ldb/common/ldb_dn.c

+++ b/lib/ldb/common/ldb_dn.c

@@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)

 char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)

 {

 	char *dst;

-

+	size_t len;

 	if (!value.length)

 		return NULL;

@@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)

 		return NULL;

 	}

-	ldb_dn_escape_internal(dst, (const char *)value.data, value.length);

-

-	dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);

+	len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);

+	dst = talloc_realloc(mem_ctx, dst, char, len + 1);

+	if ( ! dst) {

+		talloc_free(dst);

+		return NULL;

+	}

+	dst[len] = '\0';

 	return dst;

 }

-- 

2.5.0