This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.6
in repository 389-ds-base.
commit 62ac4ec80c26f87a8dbfc70eaa25cae39d9af48a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue May 8 11:01:45 2018 -0400
CVE-2018-1089 - Crash from long search filter
---
ldap/servers/slapd/filter.c | 8 ++++----
ldap/servers/slapd/util.c | 10 +++++-----
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index bdf189b..06b0909 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -486,7 +486,7 @@ get_substring_filter(
f->f_sub_initial = val;
eval = (char*)slapi_escape_filter_value(val, -1);
if(eval) {
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
fstr_len += (strlen(eval) + 1) * 2;
*fstr = slapi_ch_realloc(*fstr, fstr_len);
}
@@ -500,7 +500,7 @@ get_substring_filter(
charray_add(&f->f_sub_any, val);
eval = (char*)slapi_escape_filter_value(val, -1);
if(eval){
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
fstr_len += (strlen(eval) + 1) * 2;
*fstr = slapi_ch_realloc(*fstr, fstr_len);
}
@@ -518,7 +518,7 @@ get_substring_filter(
f->f_sub_final = val;
eval = (char*)slapi_escape_filter_value( val, -1);
if(eval){
- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
fstr_len += (strlen(eval) + 1) * 2;
*fstr = slapi_ch_realloc(*fstr, fstr_len);
}
@@ -544,7 +544,7 @@ get_substring_filter(
}
filter_compute_hash(f);
- if (fstr_len < strlen(*fstr) + 3) {
+ if (fstr_len <= strlen(*fstr) + 3) {
fstr_len += 3;
*fstr = slapi_ch_realloc(*fstr, fstr_len);
}
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index ffeeff6..9f44d60 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -153,6 +153,11 @@ do_escape_string (
break;
}
do {
+ if (bufSpace < 4) {
+ memcpy(bufNext, "..", 2);
+ bufNext += 2;
+ goto bail;
+ }
if (esc == UTIL_ESCAPE_BACKSLASH) {
/* *s is '\\' */
/* If *(s+1) and *(s+2) are both hex digits,
@@ -169,11 +174,6 @@ do_escape_string (
if (!(flags & DOESCAPE_FLAGS_HEX_NOESC)) {
*bufNext++ = '\\'; --bufSpace;
}
- if (bufSpace < 3) {
- memcpy(bufNext, "..", 2);
- bufNext += 2;
- goto bail;
- }
PR_snprintf(bufNext, 3, "%02x", *(unsigned char*)s);
bufNext += 2; bufSpace -= 2;
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.