This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch 389-ds-base-1.3.7 in repository 389-ds-base.
from 9109af6 Ticket 49449 - Load sysctl values on rpm upgrade. new 3fb1c40 Ticket 49471 - heap-buffer-overflow in ss_unescape
The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference.
Summary of changes: dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++ ldap/servers/plugins/collation/orfilter.c | 14 +++-- 2 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 dirsrvtests/tests/tickets/ticket49471_test.py
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.7 in repository 389-ds-base.
commit 3fb1c408cb4065de8d9c0c1de050d08969d51bb0 Author: Thierry Bordaz tbordaz@redhat.com Date: Wed Dec 6 15:14:57 2017 +0100
Ticket 49471 - heap-buffer-overflow in ss_unescape
Bug Description: Two problems here - when searching for wildcard and escape char, ss_unescape assumes the string is at least 3 chars longs. So memcmp can overflow a shorter string - while splitting a string into substring pattern, it loops over wildcard and can overpass the string end
Fix Description: For the first problem, it checks the string size is long enough to memcmp a wildcard or an escape For the second it exits from the loop as soon as the end of the string is reached
https://pagure.io/389-ds-base/issue/49471
Reviewed by: William Brown
Platforms tested: F23
Flag Day: no
Doc impact: no
(cherry picked from commit 5991388ce75fba8885579b769711d57acfd43cd3) --- dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++ ldap/servers/plugins/collation/orfilter.c | 14 +++-- 2 files changed, 87 insertions(+), 6 deletions(-)
diff --git a/dirsrvtests/tests/tickets/ticket49471_test.py b/dirsrvtests/tests/tickets/ticket49471_test.py new file mode 100644 index 0000000..0456a51 --- /dev/null +++ b/dirsrvtests/tests/tickets/ticket49471_test.py @@ -0,0 +1,79 @@ +import logging +import pytest +import os +import time +import ldap +from lib389._constants import * +from lib389.topologies import topology_st as topo +from lib389 import Entry + +DEBUGGING = os.getenv("DEBUGGING", default=False) +if DEBUGGING: + logging.getLogger(__name__).setLevel(logging.DEBUG) +else: + logging.getLogger(__name__).setLevel(logging.INFO) +log = logging.getLogger(__name__) + + +USER_CN='user_' +def _user_get_dn(no): + cn = '%s%d' % (USER_CN, no) + dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) + return (cn, dn) + +def add_user(server, no, desc='dummy', sleep=True): + (cn, dn) = _user_get_dn(no) + log.fatal('Adding user (%s): ' % dn) + server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'], + 'cn': [cn], + 'description': [desc], + 'sn': [cn], + 'description': ['add on that host']}))) + if sleep: + time.sleep(2) + +def test_ticket49471(topo): + """Specify a test case purpose or name here + + :id: 457ab172-9455-4eb2-89a0-150e3de5993f + :setup: Fill in set up configuration here + :steps: + 1. Fill in test case steps here + 2. And indent them like this (RST format requirement) + :expectedresults: + 1. Fill in the result that is expected + 2. For each test step + """ + + # If you need any test suite initialization, + # please, write additional fixture for that (including finalizer). + # Topology for suites are predefined in lib389/topologies.py. + + # If you need host, port or any other data about instance, + # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) + + S1 = topo.standalone + add_user(S1, 1) + + Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=*on*)" + ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter) + assert len(ents) == 1 + + # + # The following is for the test 49491 + # skipped here else it crashes in ASAN + #Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=*host)" + #ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter) + #assert len(ents) == 1 + + if DEBUGGING: + # Add debugging steps(if any)... + pass + + +if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s %s" % CURRENT_FILE) + diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c index 5a2d8a0..a98d902 100644 --- a/ldap/servers/plugins/collation/orfilter.c +++ b/ldap/servers/plugins/collation/orfilter.c @@ -313,12 +313,12 @@ ss_unescape(struct berval *val) char *t = s; char *limit = s + val->bv_len; while (s < limit) { - if (!memcmp(s, "\2a", 3) || - !memcmp(s, "\2A", 3)) { + if (((limit - s) >= 3) && + (!memcmp(s, "\2a", 3) || !memcmp(s, "\2A", 3))) { *t++ = WILDCARD; s += 3; - } else if (!memcmp(s, "\5c", 3) || - !memcmp(s, "\5C", 3)) { + } else if ((limit - s) >= 3 && + (!memcmp(s, "\5c", 3) || !memcmp(s, "\5C", 3))) { *t++ = '\'; s += 3; } else { @@ -409,13 +409,15 @@ ss_filter_values(struct berval *pattern, int *query_op) switch (*p) { case WILDCARD: result[n++] = ss_filter_value(s, p - s, &val); - while (++p != plimit && *p == WILDCARD) - ; + while (p != plimit && *p == WILDCARD) p++; s = p; break; default: break; } + if (p >= plimit) { + break; + } } if (p != s || s == plimit) { result[n++] = ss_filter_value(s, p - s, &val);
389-commits@lists.fedoraproject.org