[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sprintf segv in ldapsearch (ITS#274)

To: openldap-its@OpenLDAP.org
Subject: Re: sprintf segv in ldapsearch (ITS#274)
From: noel@burton-krahn.com
Date: Thu, 26 Aug 1999 07:38:40 GMT

Hi Kurt,


I see that you avoid sprintf if filtpatt is NULL.  However, you're
still vulnerable to sprintf % escapes if it isn't.

    ldapsearch -f file attr='*%f %s*'

will try to cast the arg as a float, then put random stack data at
%s.  Yikes!  How about doing %s by hand?  Here is some clunky and
untested code:

    char *p, *q, *end;

    end = filter + FILTER_BUF_SIZE;
    for(p=filter, q=filtpat; p<end && *q; ) {
	if( *q == '%' ) {
	    q++;
	    if( *q == 0 ) {
		/* a % at end of string?  just copy it and quit */
		*p++ = '%';
		break;
	    }
	    else if( *q == 's' ) {
		/* insert value at %s */
		strncpy(p, value, end-p);
		p += strlen(p);
	    } 
	    else if( *q == '%' ) {
		/* map %% to % */
		*p++ = *q++;
	    }
	    else {
		/* unrecognized %x.  copy it verbatim */
		*p++ = '%';
		*p++ = *q++;
	    }
	}
	else {
	    *p++ = *q++;
	}
    }
    if( p>=end ) { p = end-1; }
    *p++ = 0;

--Noel

> 
> Thanks,  I applied a fix to OPENLDAP_REL_ENG_1_2.  Please test.
> 
> At 11:43 PM 8/25/99 GMT, you wrote:
> >
> >Try this for a segfault:
> >
> >    ldapsearch 'any_attr=%1000000s'
> >
> >It comes from passing the search filter directly to sprintf at line
> >354 of ldapsearch.c:
> >
> >    static int dosearch(
> >	    LDAP    *ld,
> >	char        *base,
> >	int         scope,
> >	char        **attrs,
> >	int         attrsonly,
> >	char        *filtpatt,
> >	char        *value)
> >    {
> >	char                filter[ BUFSIZ ];
> >	int                 rc, first, matches;
> >	LDAPMessage         *res, *e;
> >
> >	sprintf( filter, filtpatt, value );
> >
> >	...
> >
> >Now, few people are going to type in the search filter above, but I
> >did run into problems searching for values which contained a '%'
> >char.  The man page states:
> >
> >       -f file
> >              Read a series of lines from  file,  performing  one
> >              LDAP  search for each line.  In this case, the fil-
> >              ter given on the command line is treated as a  pat-
> >              tern  where  the first occurrence of %s is replaced
> >              with a line from file.  If file is a single - char-
> >              acter, then the lines are read from standard input.
> >
> >I would interpret that to mean that if the -f flag is not set, then
> >'%' should not be interpreted by sprintf.
> >
> >--Noel
> >
> >
> >
> >
> >
>

Prev by Date: escaping '*' in search strings (ITS#275)
Next by Date: Re: escaping '*' in search strings (ITS#275)
Index(es):
- Chronological
- Thread