[Pkg-samba-maint] [samba] 05/19: CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()

[Jelmer Vernooij]

This is an automated email from the git hooks/post-receive script.

jelmer pushed a commit to branch upstream_4.3
in repository samba.

commit eaec4520908b60a20ca1d8e206b516cb97e39ecd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:09:36 2015 +1300

    CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
    
    ldb_dn_escape_internal() reports the number of bytes it copied, so
    lets use that number, rather than using strlen() and hoping a zero got
    in the right place.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
---
 lib/ldb/common/ldb_dn.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 1b8e51e..a3b8f92 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
 char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 {
 	char *dst;
-
+	size_t len;
 	if (!value.length)
 		return NULL;
 
@@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 		return NULL;
 	}
 
-	ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
-	dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
+	len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
 
+	dst = talloc_realloc(mem_ctx, dst, char, len + 1);
+	if ( ! dst) {
+		talloc_free(dst);
+		return NULL;
+	}
+	dst[len] = '\0';
 	return dst;
 }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git