I've pushed this patch under the one-line commit rule. It's also an
issue Noriko and I discussed in private, so she's familiar with the fix
(it's actually a slight variation on a fix she wrote).
>From c177c34eef54e4ef6dc96cd22418a47cbd03789e Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 18 Nov 2009 22:05:57 -0800
Subject: [PATCH] Add bounds checking in DN unescape function
My previous patch for bug 504817 could cause us to read past the
end of the RDN string if it ended with a single escape character.
This fix adds a bounds check to ensure that we don't read past
the end of the string.
---
ldap/servers/slapd/util.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index c8d9a74..71a2305 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -236,8 +236,10 @@ strcpy_unescape_value( char *d, const char *s )
}
}
/* This is an escaped single character (like \"), so
- * just copy the special character and not the escape. */
- if (gotesc) {
+ * just copy the special character and not the escape.
+ * We need to be careful to not go past the end of
+ * the string when the loop increments s. */
+ if (gotesc && (s+1 < end)) {
s++;
*d++ = *s;
gotesc = 0;
--
1.6.2.5
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
