The Samba-Bugzilla – Attachment 15013 Details for
Bug 9567
oLschema2ldif fail to import any SYNTAX that isn't in dsdb_syntaxes array
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from hansmi
oLschema2ldif-crash.patch (text/plain), 10.03 KB, created by
Andrew Bartlett
on 2019-03-27 23:10:52 UTC
(
hide
)
Description:
patch from hansmi
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-03-27 23:10:52 UTC
Size:
10.03 KB
patch
obsolete
>From 1db702111781b5fed07a0f904829a436cd911bbc Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Wed, 27 Mar 2019 20:17:08 +0100 >Subject: [PATCH] oLschema2ldif: Resolve multiple parsing bugs > >The "oLschema2ldif" program contained multiple bugs triggered by >malformed inputs: > >* Iteration beyond list of recognized dsdb syntax OIDs when value wasn't > found (bug 9567, [1]) >* NULL pointer dereference when input didn't define a name >* Heap buffer overflows for unterminated token values > >Tests are added to reproduce all identified bugs. > >[1] https://bugzilla.samba.org/show_bug.cgi?id=9567 > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >--- > selftest/tests.py | 2 + > source4/dsdb/schema/schema_syntax.c | 3 +- > source4/utils/oLschema2ldif/lib.c | 23 ++- > source4/utils/oLschema2ldif/test.c | 206 ++++++++++++++++++++++ > source4/utils/oLschema2ldif/wscript_build | 7 + > 5 files changed, 239 insertions(+), 2 deletions(-) > create mode 100644 source4/utils/oLschema2ldif/test.c > >diff --git a/selftest/tests.py b/selftest/tests.py >index 48c275c7793..01afdaea2d0 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -258,3 +258,5 @@ plantestsuite("samba.unittests.ntlm_check", "none", > [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) > plantestsuite("samba.unittests.test_registry_regfio", "none", > [os.path.join(bindir(), "default/source3/test_registry_regfio")]) >+plantestsuite("samba.unittests.test_oLschema2ldif", "none", >+ [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) >diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c >index b434b6b0a5f..057924dc3af 100644 >--- a/source4/dsdb/schema/schema_syntax.c >+++ b/source4/dsdb/schema/schema_syntax.c >@@ -2634,7 +2634,8 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { > .validate_ldb = dsdb_syntax_DN_STRING_validate_ldb, > .equality = "octetStringMatch", > .comment = "OctetString: String+DN", >- } >+ }, >+ { NULL }, > }; > > const struct dsdb_syntax *find_syntax_map_by_ad_oid(const char *ad_oid) >diff --git a/source4/utils/oLschema2ldif/lib.c b/source4/utils/oLschema2ldif/lib.c >index 8c85ce85a7c..feda4674eb0 100644 >--- a/source4/utils/oLschema2ldif/lib.c >+++ b/source4/utils/oLschema2ldif/lib.c >@@ -121,7 +121,9 @@ static char *get_def_value(TALLOC_CTX *ctx, char **string) > n = strcspn(c, "\'"); > value = talloc_strndup(ctx, c, n); > c += n; >- c++; /* skip closing \' */ >+ if (*c != '\0') { >+ c++; /* skip closing \' */ >+ } > } else { > n = strcspn(c, " \t\n"); > value = talloc_strndup(ctx, c, n); >@@ -177,6 +179,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string > n = strcspn(c, ")"); > token->value = talloc_strndup(ctx, c, n); > c += n; >+ if (*c == '\0') { >+ talloc_free(token->value); >+ return NULL; >+ } > c++; > } else { > token->value = get_def_value(ctx, &c); >@@ -217,6 +223,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string > n = strcspn(c, ")"); > token->value = talloc_strndup(ctx, c, n); > c += n; >+ if (*c == '\0') { >+ talloc_free(token->value); >+ return NULL; >+ } > c++; > } else { > token->value = get_def_value(ctx, &c); >@@ -236,6 +246,10 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string > n = strcspn(c, ")"); > token->value = talloc_strndup(ctx, c, n); > c += n; >+ if (*c == '\0') { >+ talloc_free(token->value); >+ return NULL; >+ } > c++; > } else { > token->value = get_def_value(ctx, &c); >@@ -316,6 +330,9 @@ static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string > } > if (*c == '\'') { > c = strchr(++c, '\''); >+ if (c == NULL || *c == '\0') { >+ return NULL; >+ } > c++; > } else { > c += strcspn(c, " \t\n"); >@@ -486,12 +503,16 @@ static struct ldb_message *process_entry(TALLOC_CTX *mem_ctx, struct conv_option > > default: > fprintf(stderr, "Unknown Definition: %s\n", token->value); >+ goto failed; > } > } > > if (isAttribute) { > MSG_ADD_STRING("isSingleValued", single_valued ? "TRUE" : "FALSE"); > } else { >+ if (msg->dn == NULL) { >+ goto failed; >+ } > MSG_ADD_STRING("defaultObjectCategory", ldb_dn_get_linearized(msg->dn)); > } > >diff --git a/source4/utils/oLschema2ldif/test.c b/source4/utils/oLschema2ldif/test.c >new file mode 100644 >index 00000000000..6748ce08c33 >--- /dev/null >+++ b/source4/utils/oLschema2ldif/test.c >@@ -0,0 +1,206 @@ >+/* >+ * Unix SMB/CIFS implementation. >+ * >+ * Copyright (C) 2019 Michael Hanselmann <public@hansmi.ch> >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include <stdarg.h> >+#include <stddef.h> >+#include <setjmp.h> >+#include <cmocka.h> >+ >+#include "includes.h" >+#include "./lib.h" >+ >+struct test_ctx { >+}; >+ >+static int setup_context(void **state) >+{ >+ struct test_ctx *test_ctx; >+ >+ test_ctx = talloc_zero(NULL, struct test_ctx); >+ assert_non_null(test_ctx); >+ >+ *state = test_ctx; >+ >+ return 0; >+} >+ >+static int teardown_context(void **state) >+{ >+ struct test_ctx *test_ctx = >+ talloc_get_type_abort(*state, struct test_ctx); >+ >+ talloc_free(test_ctx); >+ >+ return 0; >+} >+ >+static struct schema_conv process_data_blob(void **state, DATA_BLOB input) >+{ >+ struct test_ctx *test_ctx = >+ talloc_get_type_abort(*state, struct test_ctx); >+ struct conv_options opt; >+ struct schema_conv ret; >+ >+ assert_non_null(test_ctx); >+ assert_non_null(input.data); >+ >+ opt.in = fmemopen(input.data, input.length, "r"); >+ opt.out = fopen("/dev/null", "w"); >+ opt.ldb_ctx = ldb_init(test_ctx, NULL); >+ >+ assert_non_null(opt.in); >+ assert_non_null(opt.out); >+ assert_non_null(opt.ldb_ctx); >+ >+ opt.basedn = ldb_dn_new(test_ctx, opt.ldb_ctx, ""); >+ >+ assert_non_null(opt.basedn); >+ >+ ret = process_file(test_ctx, &opt); >+ >+ fclose(opt.in); >+ fclose(opt.out); >+ >+ return ret; >+} >+ >+static void test_unknown_syntax_oid(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 999.555.999.555.999\n" >+ "NAME 'mailLocalAddress'\n" >+ "DESC 'RFC822 email address of this recipient'\n" >+ "EQUALITY caseIgnoreIA5Match\n" >+ "SYNTAX 999.555.999.555.999{256} )\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_unterminated_token_value(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 2.16.840.1.113730.3.1.47\n" >+ "\tNAME 'mailRoutingAX 1.3.6.1.4.1.1466.115.121.1.26{256}\n" >+ "\tSI GLE-VALUE )\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_unterminated_must_value(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 1\n" >+ "\tSYNTAX 1./)# MUST ( foobar $\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_unterminated_may_value(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 1\n" >+ "\tSYNTAX 1.3.6.1.4.1.1466.115.121.1./)# MAY ( javaClassNames $\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_unterminated_sup_value(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 1\n" >+ "\tSYNTAX 1./)# SUP ( foobar $\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_unknown_token(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "attributetype ( 1\n" >+ "\tFOOBAR 123\n" >+ " )\n" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+static void test_missing_name(void **state) >+{ >+ struct schema_conv ret; >+ >+ ret = process_data_blob(state, data_blob_string_const( >+ "objectclass ( 1.3.6.3.6.1.4.1.1466.115.121.1.26{256} )" >+ )); >+ >+ assert_int_equal(ret.count, 1); >+ assert_int_equal(ret.failures, 1); >+} >+ >+int main(void) { >+ const struct CMUnitTest tests[] = { >+ cmocka_unit_test_setup_teardown(test_unknown_syntax_oid, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_unterminated_token_value, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_unterminated_must_value, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_unterminated_may_value, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_unterminated_sup_value, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_unknown_token, >+ setup_context, >+ teardown_context), >+ cmocka_unit_test_setup_teardown(test_missing_name, >+ setup_context, >+ teardown_context), >+ }; >+ >+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); >+ >+ return cmocka_run_group_tests(tests, NULL, NULL); >+} >diff --git a/source4/utils/oLschema2ldif/wscript_build b/source4/utils/oLschema2ldif/wscript_build >index 5e87b7a385f..527c99dc2f2 100644 >--- a/source4/utils/oLschema2ldif/wscript_build >+++ b/source4/utils/oLschema2ldif/wscript_build >@@ -10,3 +10,10 @@ bld.SAMBA_BINARY('oLschema2ldif', > manpages='oLschema2ldif.1', > deps='oLschema2ldif-lib POPT_SAMBA', > ) >+ >+bld.SAMBA_BINARY('test_oLschema2ldif', >+ source='test.c', >+ deps='cmocka oLschema2ldif-lib', >+ local_include=False, >+ install=False, >+ ) >-- >2.18.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9567
: 15013