ldap Cdiff usr/src/lib/nsswitch/ldap/common/ldap

Print this page

1668 CVE 2011-3508 (ldap format string issues)


*** 20,33 ****
   * CDDL HEADER END
   */
  /*
   * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
   */
  
- #pragma ident   "%Z%%M% %I%     %E% SMI"
- 
  #include <sys/systeminfo.h>
  #include "ldap_common.h"
  
  
  #ifdef DEBUG
--- 20,32 ----
   * CDDL HEADER END
   */
  /*
   * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
   * Use is subject to license terms.
+  * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
   */
  
  #include <sys/systeminfo.h>
  #include "ldap_common.h"
  
  
  #ifdef DEBUG
*** 213,222 ****
--- 212,222 ----
  _merge_SSD_filter(const ns_ldap_search_desc_t *desc,
                          char **realfilter,
                          const void *userdata)
  {
          int     len;
+         char *checker;
  
  #ifdef DEBUG
          (void) fprintf(stdout, "\n[ldap_utils.c: _merge_SSD_filter]\n");
  #endif /* DEBUG */
  
*** 223,236 ****
          /* sanity check */
          if (realfilter == NULL)
                  return (NS_LDAP_INVALID_PARAM);
          *realfilter = NULL;
  
!         if (desc == NULL || desc->filter == NULL ||
!                         userdata == NULL)
                  return (NS_LDAP_INVALID_PARAM);
  
  #ifdef DEBUG
          (void) fprintf(stdout, "\n[userdata: %s]\n", (char *)userdata);
          (void) fprintf(stdout, "\n[SSD filter: %s]\n", desc->filter);
  #endif /* DEBUG */
  
--- 223,249 ----
          /* sanity check */
          if (realfilter == NULL)
                  return (NS_LDAP_INVALID_PARAM);
          *realfilter = NULL;
  
!         if (desc == NULL || desc->filter == NULL || userdata == NULL)
                  return (NS_LDAP_INVALID_PARAM);
  
+         /* Parameter check.  We only want one %s here, otherwise bail. */
+         len = 0;        /* Reuse 'len' as "Number of %s hits"... */
+         checker = (char *)userdata;
+         do {
+                 checker = strchr(checker, '%');
+                 if (checker != NULL) {
+                         if (len > 0 || *(checker + 1) != 's')
+                                 return (NS_LDAP_INVALID_PARAM);
+                         len++;  /* Got our %s. */
+                         checker += 2;
+                 } else if (len != 1)
+                         return (NS_LDAP_INVALID_PARAM);
+         } while (checker != NULL);
+ 
  #ifdef DEBUG
          (void) fprintf(stdout, "\n[userdata: %s]\n", (char *)userdata);
          (void) fprintf(stdout, "\n[SSD filter: %s]\n", desc->filter);
  #endif /* DEBUG */
  
*** 238,249 ****
  
          *realfilter = (char *)malloc(len);
          if (*realfilter == NULL)
                  return (NS_LDAP_MEMORY);
  
!         (void) sprintf(*realfilter, (char *)userdata,
!                         desc->filter);
  
  #ifdef DEBUG
          (void) fprintf(stdout, "\n[new filter: %s]\n", *realfilter);
  #endif /* DEBUG */
  
--- 251,261 ----
  
          *realfilter = (char *)malloc(len);
          if (*realfilter == NULL)
                  return (NS_LDAP_MEMORY);
  
!         (void) sprintf(*realfilter, (char *)userdata, desc->filter);
  
  #ifdef DEBUG
          (void) fprintf(stdout, "\n[new filter: %s]\n", *realfilter);
  #endif /* DEBUG */