From 1db702111781b5fed07a0f904829a436cd911bbc Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Wed, 27 Mar 2019 20:17:08 +0100 Subject: [PATCH] oLschema2ldif: Resolve multiple parsing bugs The "oLschema2ldif" program contained multiple bugs triggered by malformed inputs: * Iteration beyond list of recognized dsdb syntax OIDs when value wasn't found (bug 9567, [1]) * NULL pointer dereference when input didn't define a name * Heap buffer overflows for unterminated token values Tests are added to reproduce all identified bugs. [1] https://bugzilla.samba.org/show_bug.cgi?id=9567 Signed-off-by: Michael Hanselmann --- selftest/tests.py | 2 + source4/dsdb/schema/schema_syntax.c | 3 +- source4/utils/oLschema2ldif/lib.c | 23 ++- source4/utils/oLschema2ldif/test.c | 206 ++++++++++++++++++++++ source4/utils/oLschema2ldif/wscript_build | 7 + 5 files changed, 239 insertions(+), 2 deletions(-) create mode 100644 source4/utils/oLschema2ldif/test.c diff --git a/selftest/tests.py b/selftest/tests.py index 48c275c7793..01afdaea2d0 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -258,3 +258,5 @@ plantestsuite("samba.unittests.ntlm_check", "none", [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) plantestsuite("samba.unittests.test_registry_regfio", "none", [os.path.join(bindir(), "default/source3/test_registry_regfio")]) +plantestsuite("samba.unittests.test_oLschema2ldif", "none", + [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index b434b6b0a5f..057924dc3af 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -2634,7 +2634,8 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { .validate_ldb = dsdb_syntax_DN_STRING_validate_ldb, .equality = "octetStringMatch", .comment = "OctetString: String+DN", - } + }, + { NULL }, }; const struct dsdb_syntax *find_syntax_map_by_ad_oid(const char *ad_oid) diff --git a/source4/utils/oLschema2ldif/lib.c b/source4/utils/oLschema2ldif/lib.c index 8c85ce85a7c..feda4674eb0 100644 --- a/source4/utils/oLschema2ldif/lib.c +++ b/source4/utils/oLschema2ldif/lib.c @@ -121,7 +121,9 @@ static char *get_def_value(TALLOC_CTX *ctx, char **string) n = strcspn(c, "\'"); value = talloc_strndup(ctx, c, n); c += n; - c++; /* skip closing \' */ + if (*c != '\0') { + c++; /* skip closing \' */ + } } else { n = strcspn(c, " \t\n"); value = talloc_strndup(ctx, c, n); @@ -177,6 +179,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string n = strcspn(c, ")"); token->value = talloc_strndup(ctx, c, n); c += n; + if (*c == '\0') { + talloc_free(token->value); + return NULL; + } c++; } else { token->value = get_def_value(ctx, &c); @@ -217,6 +223,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string n = strcspn(c, ")"); token->value = talloc_strndup(ctx, c, n); c += n; + if (*c == '\0') { + talloc_free(token->value); + return NULL; + } c++; } else { token->value = get_def_value(ctx, &c); @@ -236,6 +246,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string n = strcspn(c, ")"); token->value = talloc_strndup(ctx, c, n); c += n; + if (*c == '\0') { + talloc_free(token->value); + return NULL; + } c++; } else { token->value = get_def_value(ctx, &c); @@ -316,6 +330,9 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string } if (*c == '\'') { c = strchr(++c, '\''); + if (c == NULL || *c == '\0') { + return NULL; + } c++; } else { c += strcspn(c, " \t\n"); @@ -486,12 +503,16 @@ static struct ldb_message *process_entry(TALLOC_CTX *mem_ctx, struct conv_option default: fprintf(stderr, "Unknown Definition: %s\n", token->value); + goto failed; } } if (isAttribute) { MSG_ADD_STRING("isSingleValued", single_valued ? "TRUE" : "FALSE"); } else { + if (msg->dn == NULL) { + goto failed; + } MSG_ADD_STRING("defaultObjectCategory", ldb_dn_get_linearized(msg->dn)); } diff --git a/source4/utils/oLschema2ldif/test.c b/source4/utils/oLschema2ldif/test.c new file mode 100644 index 00000000000..6748ce08c33 --- /dev/null +++ b/source4/utils/oLschema2ldif/test.c @@ -0,0 +1,206 @@ +/* + * Unix SMB/CIFS implementation. + * + * Copyright (C) 2019 Michael Hanselmann + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include +#include +#include + +#include "includes.h" +#include "./lib.h" + +struct test_ctx { +}; + +static int setup_context(void **state) +{ + struct test_ctx *test_ctx; + + test_ctx = talloc_zero(NULL, struct test_ctx); + assert_non_null(test_ctx); + + *state = test_ctx; + + return 0; +} + +static int teardown_context(void **state) +{ + struct test_ctx *test_ctx = + talloc_get_type_abort(*state, struct test_ctx); + + talloc_free(test_ctx); + + return 0; +} + +static struct schema_conv process_data_blob(void **state, DATA_BLOB input) +{ + struct test_ctx *test_ctx = + talloc_get_type_abort(*state, struct test_ctx); + struct conv_options opt; + struct schema_conv ret; + + assert_non_null(test_ctx); + assert_non_null(input.data); + + opt.in = fmemopen(input.data, input.length, "r"); + opt.out = fopen("/dev/null", "w"); + opt.ldb_ctx = ldb_init(test_ctx, NULL); + + assert_non_null(opt.in); + assert_non_null(opt.out); + assert_non_null(opt.ldb_ctx); + + opt.basedn = ldb_dn_new(test_ctx, opt.ldb_ctx, ""); + + assert_non_null(opt.basedn); + + ret = process_file(test_ctx, &opt); + + fclose(opt.in); + fclose(opt.out); + + return ret; +} + +static void test_unknown_syntax_oid(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 999.555.999.555.999\n" + "NAME 'mailLocalAddress'\n" + "DESC 'RFC822 email address of this recipient'\n" + "EQUALITY caseIgnoreIA5Match\n" + "SYNTAX 999.555.999.555.999{256} )\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_unterminated_token_value(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 2.16.840.1.113730.3.1.47\n" + "\tNAME 'mailRoutingAX 1.3.6.1.4.1.1466.115.121.1.26{256}\n" + "\tSI GLE-VALUE )\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_unterminated_must_value(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 1\n" + "\tSYNTAX 1./)# MUST ( foobar $\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_unterminated_may_value(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 1\n" + "\tSYNTAX 1.3.6.1.4.1.1466.115.121.1./)# MAY ( javaClassNames $\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_unterminated_sup_value(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 1\n" + "\tSYNTAX 1./)# SUP ( foobar $\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_unknown_token(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "attributetype ( 1\n" + "\tFOOBAR 123\n" + " )\n" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +static void test_missing_name(void **state) +{ + struct schema_conv ret; + + ret = process_data_blob(state, data_blob_string_const( + "objectclass ( 1.3.6.3.6.1.4.1.1466.115.121.1.26{256} )" + )); + + assert_int_equal(ret.count, 1); + assert_int_equal(ret.failures, 1); +} + +int main(void) { + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_unknown_syntax_oid, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_unterminated_token_value, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_unterminated_must_value, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_unterminated_may_value, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_unterminated_sup_value, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_unknown_token, + setup_context, + teardown_context), + cmocka_unit_test_setup_teardown(test_missing_name, + setup_context, + teardown_context), + }; + + cmocka_set_message_output(CM_OUTPUT_SUBUNIT); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/source4/utils/oLschema2ldif/wscript_build b/source4/utils/oLschema2ldif/wscript_build index 5e87b7a385f..527c99dc2f2 100644 --- a/source4/utils/oLschema2ldif/wscript_build +++ b/source4/utils/oLschema2ldif/wscript_build @@ -10,3 +10,10 @@ bld.SAMBA_BINARY('oLschema2ldif', manpages='oLschema2ldif.1', deps='oLschema2ldif-lib POPT_SAMBA', ) + +bld.SAMBA_BINARY('test_oLschema2ldif', + source='test.c', + deps='cmocka oLschema2ldif-lib', + local_include=False, + install=False, + ) -- 2.18.1