Author: rmeggins
Update of /cvs/dirsec/adminserver/lib/ldaputil
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28761/adminserver/lib/ldaputil
Modified Files:
certmap.c init.c
Log Message:
Bug(s) fixed: 186280
Bug Description: adminserver: Close potential security vulnerabilities
in CGI code
Reviewed by: Rob, Pete, Nathan, Noriko (Thanks!)
Fix Description: Most of this just involves making sure that we use
PR_snprintf/PL_strncpyz/PL_strcatn where able, or just making sure we
use snprintf/strncpy/strncat correctly and null terminate the buffers.
I also got rid of some dead code, unused variables, and the like. There
are a few cases that are more complex that I have specified below. In
some cases I had to change the function signature to add a size
parameter in cases where the function was copying to a given char * and
the size was assumed (in most cases this was safe but it's still dangerous).
Platforms tested: Fedora Core 5
Flag Day: no
Doc impact: no
Index: certmap.c
===================================================================
RCS file: /cvs/dirsec/adminserver/lib/ldaputil/certmap.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- certmap.c 18 Aug 2005 19:18:50 -0000 1.4
+++ certmap.c 31 Mar 2006 22:58:23 -0000 1.5
@@ -1096,7 +1096,7 @@
vallen = ava->value.len - lenLen;
rv = CERT_RFC1485_EscapeAndQuote(buf,
- BIG_LINE,
+ sizeof(buf),
(char*) ava->value.data + lenLen,
vallen);
@@ -1195,12 +1195,12 @@
const char *tagName = certmap_secoid_to_name(tag);
if (PresentInComps(certmap_info->dncomps, tag)) {
- rv = AddToLdapDN(ldapdn, BIG_LINE, &dnlen, tagName, ava);
+ rv = AddToLdapDN(ldapdn, sizeof(ldapdn), &dnlen, tagName, ava);
if (rv != LDAPU_SUCCESS) return rv;
}
if (PresentInComps(certmap_info->filtercomps, tag)) {
- rv = AddToFilter(filter, BIG_LINE, &flen, tagName, ava);
+ rv = AddToFilter(filter, sizeof(filter), &flen, tagName, ava);
if (rv != LDAPU_SUCCESS) return rv;
numfavas++;
}
Index: init.c
===================================================================
RCS file: /cvs/dirsec/adminserver/lib/ldaputil/init.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- init.c 18 Aug 2005 19:18:50 -0000 1.4
+++ init.c 31 Mar 2006 22:58:23 -0000 1.5
@@ -66,7 +66,7 @@
if(is_lib) {
char path[1024];
- sprintf(path, "%s%c%s", dir, FILE_PATHSEP, libname);
+ PR_snprintf(path, sizeof(path), "%s%c%s", dir, FILE_PATHSEP, libname);
lib = PR_LoadLibrary(path);
if (!lib) rv = LDAPU_ERR_UNABLE_TO_LOAD_PLUGIN;
}
@@ -99,7 +99,7 @@
if (serv_root && *serv_root) {
/* Load common libraries */
- sprintf(dir, "%s%clib%c%s", serv_root, FILE_PATHSEP,
+ PR_snprintf(dir, sizeof(dir), "%s%clib%c%s", serv_root, FILE_PATHSEP,
FILE_PATHSEP, "common");
rv = load_server_libs(dir);
@@ -107,7 +107,7 @@
if (serv_type && *serv_type) {
/* Load server type specific libraries */
- sprintf(dir, "%s%clib%c%s", serv_root, FILE_PATHSEP,
+ PR_snprintf(dir, sizeof(dir), "%s%clib%c%s", serv_root, FILE_PATHSEP,
FILE_PATHSEP, serv_type);
rv = load_server_libs(dir);
@@ -115,7 +115,7 @@
if (serv_id && *serv_id) {
/* Load server instance specific libraries */
- sprintf(dir, "%s%clib%c%s", serv_root, FILE_PATHSEP,
+ PR_snprintf(dir, sizeof(dir), "%s%clib%c%s", serv_root, FILE_PATHSEP,
FILE_PATHSEP, serv_id);
rv = load_server_libs(dir);