Print this page
1668 CVE 2011-3508 (ldap format string issues)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libsldap/common/ns_getalias.c
+++ new/usr/src/lib/libsldap/common/ns_getalias.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
24 24 * Use is subject to license terms.
25 + * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
25 26 */
26 27
27 -#pragma ident "%Z%%M% %I% %E% SMI"
28 -
29 28 #include <stdlib.h>
30 29 #include <libintl.h>
31 30 #include <stdio.h>
32 31 #include <errno.h>
33 32 #include <strings.h>
34 33 #include "ns_sldap.h"
35 34 #include "ns_internal.h"
36 35
37 36 /*
38 37 * getldaplaliasbyname() retrieves the aliases information from the LDAP server.
39 38 * This is requires that the LDAP naming information (ie. LDAP_CLIENT_CACHE
40 39 * file) is configured properly on the client machine.
41 40 *
42 41 * Return value:
43 42 * 0 = success;
44 43 * 1 = alias not found;
45 44 * -1 = other failure. Contents in answer are undefined.
46 45 */
47 46
48 47 #define ALIAS_FILTER "(&(objectclass=mailgroup)(|(cn=%s)(mail=%s)))"
49 48 #define ALIAS_FILTER_SSD "(&(%%s)(|(cn=%s)(mail=%s)))"
50 49 #define MAIL_CN "cn"
51 50 #define MAIL_ATTRIBUTE "mail"
52 51 #define MAIL_MEMBER "mgrpRFC822MailMember"
53 52
54 53 /*
55 54 * This is a generic filter call back function for
56 55 * merging the filter from service search descriptor with
57 56 * an existing search filter. This routine expects userdata
58 57 * contain a format string with a single %s in it, and will
59 58 * use the format string with sprintf() to insert the SSD filter.
60 59 *
61 60 * This routine is passed to the __ns_ldap_list() API as the
62 61 * filter call back together with filter and userdata. For example,
63 62 * "(&(objectclass=mailgroup)(|(cn=abc)(mail=abc)))" as filter
64 63 * and "(&(%s)(|(cn=abc)(mail=abc)))" as userdata.
|
↓ open down ↓ |
26 lines elided |
↑ open up ↑ |
65 64 * This routine will then be called by __ns_ldap_list() to output
66 65 * "(&(dept=sds)(|(cn=abc)(mail=abc)))" as the real search
67 66 * filter, if the input SSD contains a filter "dpet=sds".
68 67 */
69 68 int
70 69 __s_api_merge_SSD_filter(const ns_ldap_search_desc_t *desc,
71 70 char **realfilter,
72 71 const void *userdata)
73 72 {
74 73 int len;
74 + char *checker;
75 75
76 76 /* sanity check */
77 77 if (realfilter == NULL)
78 78 return (NS_LDAP_INVALID_PARAM);
79 79 *realfilter = NULL;
80 80
81 - if (desc == NULL || desc->filter == NULL ||
82 - userdata == NULL)
81 + if (desc == NULL || desc->filter == NULL || userdata == NULL)
83 82 return (NS_LDAP_INVALID_PARAM);
84 83
84 + /* Parameter check. We only want one %s here, otherwise bail. */
85 + len = 0; /* Reuse 'len' as "Number of %s hits"... */
86 + checker = (char *)userdata;
87 + do {
88 + checker = strchr(checker, '%');
89 + if (checker != NULL) {
90 + if (len > 0 || *(checker + 1) != 's')
91 + return (NS_LDAP_INVALID_PARAM);
92 + len++; /* Got our %s. */
93 + checker += 2;
94 + } else if (len != 1)
95 + return (NS_LDAP_INVALID_PARAM);
96 + } while (checker != NULL);
97 +
85 98 len = strlen(userdata) + strlen(desc->filter) + 1;
86 99
87 100 *realfilter = (char *)malloc(len);
88 101 if (*realfilter == NULL)
89 102 return (NS_LDAP_MEMORY);
90 103
91 - (void) sprintf(*realfilter, (char *)userdata,
92 - desc->filter);
104 + (void) sprintf(*realfilter, (char *)userdata, desc->filter);
93 105
94 106 return (NS_LDAP_SUCCESS);
95 107 }
96 108 char *
97 109 __getldapaliasbyname(char *alias, int *retval)
98 110 {
99 111 char *service = "aliases";
100 112 char filter[BUFSIZE];
101 113 char userdata[BUFSIZE];
102 114 char *attribute[2];
103 115 ns_ldap_result_t *result = NULL;
104 116 ns_ldap_error_t *errorp = NULL;
105 117 int rc, i, j, len, comma;
106 118 ns_ldap_entry_t *entry = NULL;
107 119 char **attr_value = NULL;
108 120 char *answer, *new_answer;
109 121 size_t ans_size = BUFSIZE;
110 122
111 123 if (!alias || !*alias) {
112 124 errno = EINVAL;
113 125 *retval = -1;
114 126 return (NULL);
115 127 }
116 128
117 129 answer = malloc(ans_size);
118 130 if (answer == NULL) {
119 131 errno = ENOMEM;
120 132 *retval = -1;
121 133 return (NULL);
122 134 }
123 135 answer[0] = '\0';
124 136
125 137 /* get the aliases */
126 138 if (snprintf(filter, sizeof (filter), ALIAS_FILTER, alias, alias) < 0) {
127 139 errno = EINVAL;
128 140 *retval = -1;
129 141 return (NULL);
130 142 }
131 143
132 144 /* get the userdata for __ns_ldap_list filter call back */
133 145 if (snprintf(userdata, sizeof (userdata), ALIAS_FILTER_SSD,
134 146 alias, alias) < 0) {
|
↓ open down ↓ |
32 lines elided |
↑ open up ↑ |
135 147 errno = EINVAL;
136 148 *retval = -1;
137 149 return (NULL);
138 150 }
139 151
140 152 attribute[0] = MAIL_MEMBER;
141 153 attribute[1] = NULL;
142 154
143 155 /* should we do hardlookup */
144 156 rc = __ns_ldap_list(service, (const char *)filter,
145 - __s_api_merge_SSD_filter,
146 - (const char **)attribute, NULL, 0, &result,
147 - &errorp, NULL, userdata);
157 + __s_api_merge_SSD_filter,
158 + (const char **)attribute, NULL, 0, &result,
159 + &errorp, NULL, userdata);
148 160
149 161 if (rc == NS_LDAP_NOTFOUND) {
150 162 errno = ENOENT;
151 163 *retval = 1;
152 164 return (NULL);
153 165 } else if (rc != NS_LDAP_SUCCESS) {
154 166 #ifdef DEBUG
155 167 char *p;
156 168 (void) __ns_ldap_err2str(rc, &p);
157 169 if (errorp) {
158 170 if (errorp->message)
159 171 (void) fprintf(stderr, "%s (%s)\n", p,
160 - errorp->message);
172 + errorp->message);
161 173 } else
162 174 (void) fprintf(stderr, "%s\n", p);
163 175 #endif /* DEBUG */
164 176 (void) __ns_ldap_freeError(&errorp);
165 177 *retval = -1;
166 178 return (NULL);
167 179 }
168 180
169 181 /* build the return value */
170 182 answer[0] = '\0';
171 183 len = 0;
172 184 comma = 0;
173 185 entry = result->entry;
174 186 for (i = 0; i < result->entries_count; i++) {
175 187 attr_value = __ns_ldap_getAttr(entry, MAIL_MEMBER);
176 188 if (attr_value == NULL) {
177 189 errno = ENOENT;
178 190 *retval = -1;
179 191 return (NULL);
180 192 }
181 193 for (j = 0; attr_value[j]; j++) {
182 194 char *tmp, *newhead;
183 195
184 196 tmp = attr_value[j];
185 197 while (*tmp == ' ' || *tmp == '\t' && *tmp != '\0')
186 198 tmp++;
187 199 newhead = tmp;
188 200 while (*tmp != '\0') tmp++;
189 201 while (*tmp == ' ' || *tmp == '\t' || *tmp == '\0' &&
190 202 tmp != newhead) {
191 203 *tmp-- = '\0';
192 204 }
193 205 len = len + comma + strlen(newhead);
194 206 if ((len + 1) > ans_size) {
195 207 ans_size += BUFSIZE;
196 208 new_answer = realloc(answer, ans_size);
197 209 if (new_answer == NULL) {
198 210 (void) __ns_ldap_freeResult(&result);
199 211 errno = ENOMEM;
200 212 *retval = -1;
201 213 free(answer);
202 214 return (NULL);
203 215 }
204 216 answer = new_answer;
205 217 }
206 218 if (comma)
207 219 (void) strcat(answer, ",");
208 220 else
209 221 comma = 1;
210 222 (void) strcat(answer, newhead);
211 223 }
212 224 }
213 225
214 226 (void) __ns_ldap_freeResult(&result);
215 227 errno = 0;
216 228 *retval = 0;
217 229 return (answer);
218 230 }
|
↓ open down ↓ |
48 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX