[Date Prev][Date Next] [Chronological] [Thread] [Top]

sprintf segv in ldapsearch (ITS#274)

Try this for a segfault:

    ldapsearch 'any_attr=%1000000s'

It comes from passing the search filter directly to sprintf at line
354 of ldapsearch.c:

    static int dosearch(
	    LDAP    *ld,
	char        *base,
	int         scope,
	char        **attrs,
	int         attrsonly,
	char        *filtpatt,
	char        *value)
	char                filter[ BUFSIZ ];
	int                 rc, first, matches;
	LDAPMessage         *res, *e;

	sprintf( filter, filtpatt, value );


Now, few people are going to type in the search filter above, but I
did run into problems searching for values which contained a '%'
char.  The man page states:

       -f file
              Read a series of lines from  file,  performing  one
              LDAP  search for each line.  In this case, the fil-
              ter given on the command line is treated as a  pat-
              tern  where  the first occurrence of %s is replaced
              with a line from file.  If file is a single - char-
              acter, then the lines are read from standard input.

I would interpret that to mean that if the -f flag is not set, then
'%' should not be interpreted by sprintf.