ldap Sdiff usr/src/cmd/idmap/idmapd/nldaputils.c

Print this page

1668 CVE 2011-3508 (ldap format string issues)

   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.

  24  */
  25 
  26 /*
  27  * native LDAP related utility routines
  28  */
  29 
  30 #include "idmapd.h"
  31 #include "idmap_priv.h"
  32 #include "ns_sldap.h"
  33 #include "nldaputils.h"
  34 #include <assert.h>
  35 
  36 /*
  37  * The following are format strings used to construct LDAP search filters
  38  * when looking up Native LDAP directory service. The _F_XXX_SSD format
  39  * is used by the libsldap API if a corresponding SSD is defined in
  40  * Native LDAP configuration. The SSD contains a string that replaces
  41  * the first %s in _F_XXX_SSD. If no SSD is defined then the regular
  42  * _F_XXX format is used.
  43  *

 130  * in it, and will use the format string with sprintf() to insert the
 131  * SSD filter.
 132  *
 133  * This routine and userdata are passed to the __ns_ldap_list_batch_add()
 134  * API.
 135  *
 136  * Consider an example that uses __ns_ldap_list_batch_add() to lookup
 137  * native LDAP directory using a given userid 'xy12345'. In this
 138  * example the userdata will contain the filter "(&(%s)(cn=xy1234))".
 139  * If a SSD is defined to replace the rfc2307bis specified filter
 140  * i.e. (objectClass=posixAccount) by a site-specific filter
 141  * say (department=sds) then this routine when called will produce
 142  * "(&(department=sds)(uid=xy1234))" as the real search filter.
 143  */
 144 static
 145 int
 146 merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 147         char **realfilter, const void *userdata)
 148 {
 149         int     len;


 150         if (realfilter == NULL)
 151                 return (NS_LDAP_INVALID_PARAM);
 152         *realfilter = NULL;
 153         if (desc == NULL || desc->filter == NULL || userdata == NULL)
 154                 return (NS_LDAP_INVALID_PARAM);















 155         len = strlen(userdata) + strlen(desc->filter) + 1;
 156         *realfilter = (char *)malloc(len);
 157         if (*realfilter == NULL)
 158                 return (NS_LDAP_MEMORY);
 159         (void) sprintf(*realfilter, (char *)userdata, desc->filter);
 160         return (NS_LDAP_SUCCESS);
 161 }
 162 
 163 static
 164 char
 165 hex_char(int n)
 166 {
 167         return ("0123456789abcdef"[n & 0xf]);
 168 }
 169 
 170 /*
 171  * If the input string contains special characters that needs to be
 172  * escaped before the string can be used in a LDAP filter then this
 173  * function will return a new sanitized string. Otherwise this function
 174  * returns the input string (This saves us un-necessary memory allocations

   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
  25  */
  26 
  27 /*
  28  * native LDAP related utility routines
  29  */
  30 
  31 #include "idmapd.h"
  32 #include "idmap_priv.h"
  33 #include "ns_sldap.h"
  34 #include "nldaputils.h"
  35 #include <assert.h>
  36 
  37 /*
  38  * The following are format strings used to construct LDAP search filters
  39  * when looking up Native LDAP directory service. The _F_XXX_SSD format
  40  * is used by the libsldap API if a corresponding SSD is defined in
  41  * Native LDAP configuration. The SSD contains a string that replaces
  42  * the first %s in _F_XXX_SSD. If no SSD is defined then the regular
  43  * _F_XXX format is used.
  44  *

 131  * in it, and will use the format string with sprintf() to insert the
 132  * SSD filter.
 133  *
 134  * This routine and userdata are passed to the __ns_ldap_list_batch_add()
 135  * API.
 136  *
 137  * Consider an example that uses __ns_ldap_list_batch_add() to lookup
 138  * native LDAP directory using a given userid 'xy12345'. In this
 139  * example the userdata will contain the filter "(&(%s)(cn=xy1234))".
 140  * If a SSD is defined to replace the rfc2307bis specified filter
 141  * i.e. (objectClass=posixAccount) by a site-specific filter
 142  * say (department=sds) then this routine when called will produce
 143  * "(&(department=sds)(uid=xy1234))" as the real search filter.
 144  */
 145 static
 146 int
 147 merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 148         char **realfilter, const void *userdata)
 149 {
 150         int     len;
 151         char *checker;
 152 
 153         if (realfilter == NULL)
 154                 return (NS_LDAP_INVALID_PARAM);
 155         *realfilter = NULL;
 156         if (desc == NULL || desc->filter == NULL || userdata == NULL)
 157                 return (NS_LDAP_INVALID_PARAM);
 158 
 159         /* Parameter check.  We only want one %s here, otherwise bail. */
 160         len = 0;        /* Reuse 'len' as "Number of %s hits"... */
 161         checker = (char *)userdata;
 162         do {
 163                 checker = strchr(checker, '%');
 164                 if (checker != NULL) {
 165                         if (len > 0 || *(checker + 1) != 's')
 166                                 return (NS_LDAP_INVALID_PARAM);
 167                         len++;  /* Got our %s. */
 168                         checker += 2;
 169                 } else if (len != 1)
 170                         return (NS_LDAP_INVALID_PARAM);
 171         } while (checker != NULL);
 172 
 173         len = strlen(userdata) + strlen(desc->filter) + 1;
 174         *realfilter = (char *)malloc(len);
 175         if (*realfilter == NULL)
 176                 return (NS_LDAP_MEMORY);
 177         (void) sprintf(*realfilter, (char *)userdata, desc->filter);
 178         return (NS_LDAP_SUCCESS);
 179 }
 180 
 181 static
 182 char
 183 hex_char(int n)
 184 {
 185         return ("0123456789abcdef"[n & 0xf]);
 186 }
 187 
 188 /*
 189  * If the input string contains special characters that needs to be
 190  * escaped before the string can be used in a LDAP filter then this
 191  * function will return a new sanitized string. Otherwise this function
 192  * returns the input string (This saves us un-necessary memory allocations