openldap/CVE-2020-36221-1.patch

From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 23 Nov 2020 17:14:00 +0000
Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck

Tighten validity checks
---
 servers/slapd/schema_init.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 834f54593..5b577607d 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck(
 
 	if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
 
-	if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+	if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
 		/* Parse old format */
 		is->bv_val = ber_bvchr( in, '$' );
 		if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck(
 			HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
 		} have = HAVE_NONE;
 
-		int numdquotes = 0;
+		int numdquotes = 0, gotquote;
 		struct berval x = *in;
 		struct berval ni;
 		x.bv_val++;
@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck(
 				is->bv_val = x.bv_val;
 				is->bv_len = 0;
 
-				for ( ; is->bv_len < x.bv_len; ) {
+				for ( gotquote=0; is->bv_len < x.bv_len; ) {
 					if ( is->bv_val[is->bv_len] != '"' ) {
 						is->bv_len++;
 						continue;
 					}
+					gotquote = 1;
 					if ( is->bv_val[is->bv_len+1] == '"' ) {
 						/* double dquote */
 						numdquotes++;
@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck(
 					}
 					break;
 				}
+				if ( !gotquote ) return LDAP_INVALID_SYNTAX;
+
 				x.bv_val += is->bv_len + 1;
 				x.bv_len -= is->bv_len + 1;
 
-- 
GitLab
openldap:fix CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 Signed-off-by: liuzy518 <570407222@qq.com> 2021-02-18 20:28:16 +08:00			`From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001`
			`From: Howard Chu <hyc@openldap.org>`
			`Date: Mon, 23 Nov 2020 17:14:00 +0000`
			`Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck`

			`Tighten validity checks`
			`---`
			`servers/slapd/schema_init.c \| 9 ++++++---`
			`1 file changed, 6 insertions(+), 3 deletions(-)`

			`diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c`
			`index 834f54593..5b577607d 100644`
			`--- a/servers/slapd/schema_init.c`
			`+++ b/servers/slapd/schema_init.c`
			`@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck(`

			`if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;`

			`- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {`
			`+ if( in->bv_val[0] != '{' \|\| in->bv_val[in->bv_len-1] != '}' ) {`
			`/* Parse old format */`
			`is->bv_val = ber_bvchr( in, '$' );`
			`if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;`
			`@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck(`
			`HAVE_ALL = ( HAVE_ISSUER \| HAVE_SN )`
			`} have = HAVE_NONE;`

			`- int numdquotes = 0;`
			`+ int numdquotes = 0, gotquote;`
			`struct berval x = *in;`
			`struct berval ni;`
			`x.bv_val++;`
			`@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck(`
			`is->bv_val = x.bv_val;`
			`is->bv_len = 0;`

			`- for ( ; is->bv_len < x.bv_len; ) {`
			`+ for ( gotquote=0; is->bv_len < x.bv_len; ) {`
			`if ( is->bv_val[is->bv_len] != '"' ) {`
			`is->bv_len++;`
			`continue;`
			`}`
			`+ gotquote = 1;`
			`if ( is->bv_val[is->bv_len+1] == '"' ) {`
			`/* double dquote */`
			`numdquotes++;`
			`@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck(`
			`}`
			`break;`
			`}`
			`+ if ( !gotquote ) return LDAP_INVALID_SYNTAX;`
			`+`
			`x.bv_val += is->bv_len + 1;`
			`x.bv_len -= is->bv_len + 1;`

			`--`
			`GitLab`