[Pkg-samba-maint] [samba] 03/19: CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.

[Jelmer Vernooij]

This is an automated email from the git hooks/post-receive script.

jelmer pushed a commit to branch upstream_4.3
in repository samba.

commit ef6f1517cc12ef2c5ec076bf8b00c03adc14de0b
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 9 14:00:01 2015 -0700

    CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
    
    Values might have embedded zeros.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
---
 lib/ldb/common/ldb_match.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 7414289..182c6ce 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -241,7 +241,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	struct ldb_val val;
 	struct ldb_val cnk;
 	struct ldb_val *chunk;
-	char *p, *g;
 	uint8_t *save_p = NULL;
 	unsigned int c = 0;
 
@@ -288,6 +287,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	}
 
 	while (tree->u.substring.chunks[c]) {
+		uint8_t *p;
 
 		chunk = tree->u.substring.chunks[c];
 		if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
@@ -299,15 +299,24 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 		if (cnk.length == 0) {
 			goto mismatch;
 		}
-		p = strstr((char *)val.data, (char *)cnk.data);
+		/*
+		 * Values might be binary blobs. Don't use string
+		 * search, but memory search instead.
+		 */
+		p = memmem((const void *)val.data,val.length,
+			   (const void *)cnk.data, cnk.length);
 		if (p == NULL) goto mismatch;
 		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
+			uint8_t *g;
 			do { /* greedy */
-				g = strstr((char *)p + cnk.length, (char *)cnk.data);
+				g = memmem(p + cnk.length,
+					val.length - (p - val.data),
+					(const uint8_t *)cnk.data,
+					cnk.length);
 				if (g) p = g;
 			} while(g);
 		}
-		val.length = val.length - (p - (char *)(val.data)) - cnk.length;
+		val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length;
 		val.data = (uint8_t *)(p + cnk.length);
 		c++;
 		talloc_free(cnk.data);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git