The Samba-Bugzilla – Attachment 16501 Details for
Bug 14655
CVE-2021-20277 [SECURITY] out of bounds read in ldb_handler_fold
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
additional fix for other bugs
0001-ldb-attrib_handler-casefold-simplify-space-dropping.patch (text/plain), 2.13 KB, created by
Douglas Bagnall
on 2021-03-05 10:18:14 UTC
(
hide
)
Description:
additional fix for other bugs
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2021-03-05 10:18:14 UTC
Size:
2.13 KB
patch
obsolete
>From 9194883230f2725a4959de7d7d2b6f9a4a3e4577 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Tue, 8 Dec 2020 22:00:55 +1300 >Subject: [PATCH] ldb/attrib_handler casefold: simplify space dropping > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/ldb/common/attrib_handlers.c | 53 +++++++++++++++----------------- > 1 file changed, 25 insertions(+), 28 deletions(-) > >diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c >index c6ef5ad477b..f0fd4f50d8d 100644 >--- a/lib/ldb/common/attrib_handlers.c >+++ b/lib/ldb/common/attrib_handlers.c >@@ -54,8 +54,8 @@ int ldb_handler_copy(struct ldb_context *ldb, void *mem_ctx, > int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, > const struct ldb_val *in, struct ldb_val *out) > { >- char *s, *t; >- size_t l; >+ char *s, *t, *start; >+ bool in_space; > > if (!in || !out || !(in->data)) { > return -1; >@@ -67,36 +67,33 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, > return -1; > } > >- s = (char *)(out->data); >- >- /* remove trailing spaces if any */ >- l = strlen(s); >- while (l > 0 && s[l - 1] == ' ') l--; >- s[l] = '\0'; >- >- /* remove leading spaces if any */ >- if (*s == ' ') { >- for (t = s; *s == ' '; s++, l--) ; >- >- /* remove leading spaces by moving down the string */ >- memmove(t, s, l); >- >- s = t; >+ start = (char *)(out->data); >+ in_space = true; >+ t = start; >+ for (s = start; *s != '\0'; s++) { >+ if (*s == ' ') { >+ if (in_space) { >+ /* >+ * We already have one (or this is the start) >+ * and we don't want to add more >+ */ >+ continue; >+ } >+ in_space = true; >+ } else { >+ in_space = false; >+ } >+ *t = *s; >+ t++; > } > >- /* check middle spaces */ >- while ((t = strchr(s, ' ')) != NULL) { >- for (s = t; *s == ' '; s++) ; >- >- if ((s - t) > 1) { >- l = strlen(s); >- >- /* remove all spaces but one by moving down the string */ >- memmove(t + 1, s, l); >- } >+ if (in_space && t != start) { >+ /* the loop will have left a single trailing space */ >+ t--; > } >+ *t = '\0'; > >- out->length = strlen((char *)out->data); >+ out->length = t - start; > return 0; > } > >-- >2.20.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14655
:
16500
| 16501 |
16518
|
16525
|
16526
|
16527
|
16528
|
16529
|
16531