35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From 42f0f57eb819ce6b68a8c5b3b53123b83ec917e3 Mon Sep 17 00:00:00 2001
|
|
From: Gary Lockyer <gary@catalyst.net.nz>
|
|
Date: Tue, 19 Feb 2019 10:26:56 +1300
|
|
Subject: [PATCH] CVE-2019-3824 ldb: wildcard_match end of data check
|
|
|
|
ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0'
|
|
to the data, to make them safe to use the C string functions on.
|
|
|
|
However testing for the trailing '\0' is not the correct way to test for
|
|
the end of a value, the length should be checked instead.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773
|
|
|
|
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
lib/ldb/common/ldb_match.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
|
|
index 59f48b52b70..829afa77e71 100644
|
|
--- a/lib/ldb/common/ldb_match.c
|
|
+++ b/lib/ldb/common/ldb_match.c
|
|
@@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
|
|
}
|
|
|
|
/* last chunk may not have reached end of string */
|
|
- if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch;
|
|
+ if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch;
|
|
talloc_free(save_p);
|
|
*matched = true;
|
|
return LDB_SUCCESS;
|
|
--
|
|
2.24.0
|