[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7995) of-by-one error in schema
Ð?еонид ЮÑ?Ñ?ев wrote:
> (2)
> But let see to lines 570-575 of mdb-back/attr.c and lines 764-772 of slapd/ad.c:
> - does the mdb-value include a NUL byte =
> https://github.com/leo-yuriev/openldap-lmdb-challenge/blob/2.4-devel/servers/slapd/back-mdb/attr.c#L570?
> - if "YES" then "+1" at slapd/ad.c:764 is wrong =
> https://github.com/leo-yuriev/openldap-lmdb-challenge/blob/2.4-devel/servers/slapd/ad.c#L764
> - but if "NO" then "strcpy()" at slapd/ad.c:772 (and more) is wrong =
> https://github.com/leo-yuriev/openldap-lmdb-challenge/blob/2.4-devel/servers/slapd/ad.c#L772
And the answer is no, back-mdb/attr.c mdb_ad_get() doesn't store the
trailing NUL byte,
> diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
> index 246b900..fd60483 100644
> --- a/servers/slapd/ad.c
> +++ b/servers/slapd/ad.c
> @@ -118,7 +118,7 @@ AttributeDescription * ad_find_tags(
> for (ad = type->sat_ad; ad; ad=ad->ad_next)
> {
> if (ad->ad_tags.bv_len == tags->bv_len &&
> - !strcasecmp(ad->ad_tags.bv_val, tags->bv_val))
> + !strncasecmp( ad->ad_tags.bv_val, tags->bv_val, ad->ad_tags.bv_len ))
> break;
> }
Unnecessary.
> ldap_pvt_thread_mutex_unlock( &type->sat_ad_mutex );
> @@ -742,14 +742,13 @@ int slap_bv2undef_ad(
> /* use the appropriate type */
> if ( flags & SLAP_AD_PROXIED ) {
> at = slap_schema.si_at_proxied;
> -
> } else {
> at = slap_schema.si_at_undefined;
> }
>
> for( desc = at->sat_ad; desc; desc=desc->ad_next ) {
> if( desc->ad_cname.bv_len == bv->bv_len &&
> - !strcasecmp( desc->ad_cname.bv_val, bv->bv_val ) )
> + !strncasecmp( desc->ad_cname.bv_val, bv->bv_val, desc->ad_cname.bv_len) )
Unnecessary. We've already checked that the two lengths are equal; even
if bv->bv_val is non-terminated the compare will stop because
desc->ad_cname is terminated.
> {
> break;
> }
> @@ -769,7 +768,8 @@ int slap_bv2undef_ad(
>
> desc->ad_cname.bv_len = bv->bv_len;
> desc->ad_cname.bv_val = (char *)(desc+1);
> - strcpy(desc->ad_cname.bv_val, bv->bv_val);
> + strncpy( desc->ad_cname.bv_val, bv->bv_val, desc->ad_cname.bv_len )
> + [desc->ad_cname.bv_len] = '\0';
This is a valid fix.
>
> /* canonical to upper case */
> ldap_pvt_str2upper( desc->ad_cname.bv_val );
> @@ -806,9 +806,10 @@ slap_bv2tmp_ad(
> slap_sl_mfuncs.bmf_malloc( sizeof(AttributeDescription) +
> bv->bv_len + 1, memctx );
>
> - ad->ad_cname.bv_val = (char *)(ad+1);
> - strncpy( ad->ad_cname.bv_val, bv->bv_val, bv->bv_len+1 );
> ad->ad_cname.bv_len = bv->bv_len;
> + ad->ad_cname.bv_val = (char *)(ad+1);
> + strncpy( ad->ad_cname.bv_val, bv->bv_val, ad->ad_cname.bv_len)
> + [ad->ad_cname.bv_len] = '\0';
> ad->ad_flags = SLAP_DESC_TEMPORARY;
> ad->ad_type = slap_schema.si_at_undefined;
>
Unnecessary.
> @@ -887,7 +888,7 @@ an_find(
>
> for ( ; a->an_name.bv_val; a++ ) {
> if ( a->an_name.bv_len != s->bv_len) continue;
> - if ( strcasecmp( s->bv_val, a->an_name.bv_val ) == 0 ) {
> + if ( strncasecmp( s->bv_val, a->an_name.bv_val, s->bv_len ) == 0 ) {
> return( 1 );
> }
> }
Unnecessary.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/