From 8c17df640eda4ef5b8f15b2f01c8b169db73f7a0 Mon Sep 17 00:00:00 2001 From: William Brown Date: Nov 20 2015 01:17:09 +0000 Subject: Ticket 48351 - Fix buffer overflow error when reading url with len 0 https://fedorahosted.org/389/ticket/48351 Bug Description: In ldaputil.c it's possible to have url_to_use with a len of 0 This means we are reading from an undefined area of memory. Fix Description: Check len before the smprintf, and if 0, then provide a a default of "/" which matches the theoretical behaviour of the format. We also have a stronger check to prevent NULL from being passed as a URL to validate. Author: wibrown Review by: nhosoi, mreynolds (Thanks!) --- diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c index 8289dd7..9281e20 100644 --- a/ldap/servers/slapd/ldaputil.c +++ b/ldap/servers/slapd/ldaputil.c @@ -256,6 +256,10 @@ slapi_ldap_url_parse(const char *url, LDAPURLDesc **ludpp, int require_dn, int * PR_ASSERT(url); PR_ASSERT(ludpp); int rc; + /* This blocks NULL getting to strlen via url_to_use later in the function. */ + if (url == NULL) { + return LDAP_PARAM_ERROR; + } const char *url_to_use = url; #if defined(USE_OPENLDAP) char *urlescaped = NULL; @@ -339,7 +343,13 @@ slapi_ldap_url_parse(const char *url, LDAPURLDesc **ludpp, int require_dn, int * as the DN (adding a trailing / first if needed) and try to parse again */ - char *urlcopy = slapi_ch_smprintf("%s%s%s", url_to_use, (url_to_use[len-1] == '/' ? "" : "/"), ""); + char *urlcopy; + if (len > 0) { + urlcopy = slapi_ch_smprintf("%s%s%s", url_to_use, (url_to_use[len-1] == '/' ? "" : "/"), ""); + } else { + /* When len == 0, this is effectively what we create ... */ + urlcopy = slapi_ch_smprintf("/"); + } if (*ludpp) { ldap_free_urldesc(*ludpp); /* free the old one, if any */ }