Commit 4a86a767 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

more unparsing buffer overflow cleanup

parent 81bafb99
......@@ -741,7 +741,8 @@ config_generic(ConfigArgs *c) {
break;
}
bv.bv_val = buf + bv.bv_len;
limits_unparse( c->be->be_limits[i], &bv );
limits_unparse( c->be->be_limits[i], &bv,
sizeof( buf ) - ( bv.bv_val - buf ) );
bv.bv_len += bv.bv_val - buf;
bv.bv_val = buf;
value_add_one( &c->rvalue_vals, &bv );
......@@ -1597,7 +1598,7 @@ config_sizelimit(ConfigArgs *c) {
struct berval bv;
bv.bv_val = buf;
bv.bv_len = 0;
limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv );
limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv, sizeof( buf ) );
if ( !BER_BVISEMPTY( &bv ))
value_add_one( &c->rvalue_vals, &bv );
else
......@@ -1648,7 +1649,7 @@ config_timelimit(ConfigArgs *c) {
struct berval bv;
bv.bv_val = buf;
bv.bv_len = 0;
limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv );
limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv, sizeof( buf ) );
if ( !BER_BVISEMPTY( &bv ))
value_add_one( &c->rvalue_vals, &bv );
else
......
......@@ -873,19 +873,26 @@ static const char *lmpats[] = {
"*"
};
#define WHATSLEFT ( buflen - ( ptr - bv->bv_val ) )
/* Caller must provide an adequately sized buffer in bv */
void
limits_unparse( struct slap_limits *lim, struct berval *bv )
int
limits_unparse( struct slap_limits *lim, struct berval *bv, ber_len_t buflen )
{
struct berval btmp;
char *ptr;
int lm;
if ( !bv || !bv->bv_val ) return;
if ( !bv || !bv->bv_val ) return -1;
ptr = bv->bv_val;
if (( lim->lm_flags & SLAP_LIMITS_TYPE_MASK ) == SLAP_LIMITS_TYPE_GROUP ) {
if ( WHATSLEFT <= STRLENOF( "group/" "/" "=\"" "\"" )
+ lim->lm_group_oc->soc_cname.bv_len
+ lim->lm_group_ad->ad_cname.bv_len
+ lim->lm_pat.bv_len ) return -1;
ptr = lutil_strcopy( ptr, "group/" );
ptr = lutil_strcopy( ptr, lim->lm_group_oc->soc_cname.bv_val );
*ptr++ = '/';
......@@ -899,6 +906,7 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
case SLAP_LIMITS_ANONYMOUS:
case SLAP_LIMITS_USERS:
case SLAP_LIMITS_ANY:
if ( WHATSLEFT <= strlen( lmpats[lm] ) ) return -1;
ptr = lutil_strcopy( ptr, lmpats[lm] );
break;
case SLAP_LIMITS_UNDEFINED:
......@@ -907,6 +915,8 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
case SLAP_LIMITS_SUBTREE:
case SLAP_LIMITS_CHILDREN:
case SLAP_LIMITS_REGEX:
if ( WHATSLEFT <= STRLENOF( "dn." "=" "\"" "\"" )
+ strlen( lmpats[lm] ) + lim->lm_pat.bv_len ) return -1;
ptr = lutil_strcopy( ptr, "dn." );
ptr = lutil_strcopy( ptr, lmpats[lm] );
*ptr++ = '=';
......@@ -916,17 +926,24 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
break;
}
}
if ( WHATSLEFT <= STRLENOF( " " ) ) return -1;
*ptr++ = ' ';
bv->bv_len = ptr - bv->bv_val;
btmp.bv_val = ptr;
btmp.bv_len = 0;
limits_unparse_one( &lim->lm_limits, SLAP_LIMIT_SIZE|SLAP_LIMIT_TIME, &btmp );
if ( limits_unparse_one( &lim->lm_limits,
SLAP_LIMIT_SIZE|SLAP_LIMIT_TIME,
&btmp, WHATSLEFT ) )
{
return -1;
}
bv->bv_len += btmp.bv_len;
return 0;
}
/* Caller must provide an adequately sized buffer in bv */
void
limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv )
int
limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv, ber_len_t buflen )
{
char *ptr;
......@@ -940,89 +957,126 @@ limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv )
/* If same as global limit, drop it */
if ( lim != &frontendDB->be_def_limit &&
lim->lms_s_soft == frontendDB->be_def_limit.lms_s_soft )
{
goto s_hard;
/* If there's also a hard limit, fully qualify this one */
else if ( lim->lms_s_hard )
} else if ( lim->lms_s_hard ) {
if ( WHATSLEFT <= STRLENOF( " size.soft=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size.soft=" );
/* If doing both size & time, qualify this */
else if ( which & SLAP_LIMIT_TIME )
} else if ( which & SLAP_LIMIT_TIME ) {
if ( WHATSLEFT <= STRLENOF( " size=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size=" );
}
if ( lim->lms_s_soft == -1 )
if ( lim->lms_s_soft == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else
ptr += sprintf( ptr, "%d", lim->lms_s_soft );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_soft );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
s_hard:
if ( lim->lms_s_hard ) {
if ( WHATSLEFT <= STRLENOF( " size.hard=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size.hard=" );
if ( lim->lms_s_hard == -1 )
if ( lim->lms_s_hard == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else
ptr += sprintf( ptr, "%d", lim->lms_s_hard );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_hard );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
if ( lim->lms_s_unchecked != -1 ) {
if ( WHATSLEFT <= STRLENOF( " size.unchecked=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size.unchecked=" );
if ( lim->lms_s_unchecked == 0 )
if ( lim->lms_s_unchecked == 0 ) {
if ( WHATSLEFT <= STRLENOF( "disabled" ) ) return -1;
ptr = lutil_strcopy( ptr, "disabled" );
else
ptr += sprintf( ptr, "%d", lim->lms_s_unchecked );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_unchecked );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
if ( lim->lms_s_pr_hide ) {
if ( WHATSLEFT <= STRLENOF( " size.pr=noEstimate " ) ) return -1;
ptr = lutil_strcopy( ptr, " size.pr=noEstimate " );
}
if ( lim->lms_s_pr ) {
if ( WHATSLEFT <= STRLENOF( " size.pr=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size.pr=" );
if ( lim->lms_s_pr == -1 )
if ( lim->lms_s_pr == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else
ptr += sprintf( ptr, "%d", lim->lms_s_pr );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_pr );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
if ( lim->lms_s_pr_total ) {
if ( WHATSLEFT <= STRLENOF( " size.prtotal=" ) ) return -1;
ptr = lutil_strcopy( ptr, " size.prtotal=" );
if ( lim->lms_s_pr_total == -1 )
if ( lim->lms_s_pr_total == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else if ( lim->lms_s_pr_total == -2 )
} else if ( lim->lms_s_pr_total == -2 ) {
if ( WHATSLEFT <= STRLENOF( "disabled" ) ) return -1;
ptr = lutil_strcopy( ptr, "disabled" );
else
ptr += sprintf( ptr, "%d", lim->lms_s_pr_total );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_pr_total );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
}
if ( which & SLAP_LIMIT_TIME ) {
if ( lim->lms_t_soft != SLAPD_DEFAULT_TIMELIMIT ) {
/* If same as global limit, drop it */
if ( lim != &frontendDB->be_def_limit &&
lim->lms_t_soft == frontendDB->be_def_limit.lms_t_soft )
{
goto t_hard;
/* If there's also a hard limit, fully qualify this one */
else if ( lim->lms_t_hard )
} else if ( lim->lms_t_hard ) {
if ( WHATSLEFT <= STRLENOF( " time.soft=" ) ) return -1;
ptr = lutil_strcopy( ptr, " time.soft=" );
/* If doing both size & time, qualify this */
else if ( which & SLAP_LIMIT_SIZE )
} else if ( which & SLAP_LIMIT_SIZE ) {
if ( WHATSLEFT <= STRLENOF( " time=" ) ) return -1;
ptr = lutil_strcopy( ptr, " time=" );
}
if ( lim->lms_t_soft == -1 )
if ( lim->lms_t_soft == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else
ptr += sprintf( ptr, "%d", lim->lms_t_soft );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_t_soft );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
t_hard:
if ( lim->lms_t_hard ) {
if ( WHATSLEFT <= STRLENOF( " time.hard=" ) ) return -1;
ptr = lutil_strcopy( ptr, " time.hard=" );
if ( lim->lms_t_hard == -1 )
if ( lim->lms_t_hard == -1 ) {
if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
ptr = lutil_strcopy( ptr, "unlimited" );
else
ptr += sprintf( ptr, "%d", lim->lms_t_hard );
} else {
ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_t_hard );
if ( WHATSLEFT < 0 ) return -1;
}
*ptr++ = ' ';
}
}
......
......@@ -992,10 +992,10 @@ LDAP_SLAPD_F (int) limits_parse_one LDAP_P(( const char *arg,
struct slap_limits_set *limit ));
LDAP_SLAPD_F (int) limits_check LDAP_P((
Operation *op, SlapReply *rs ));
LDAP_SLAPD_F (void) limits_unparse_one LDAP_P((
struct slap_limits_set *limit, int which, struct berval *bv ));
LDAP_SLAPD_F (void) limits_unparse LDAP_P((
struct slap_limits *limit, struct berval *bv ));
LDAP_SLAPD_F (int) limits_unparse_one LDAP_P((
struct slap_limits_set *limit, int which, struct berval *bv, ber_len_t buflen ));
LDAP_SLAPD_F (int) limits_unparse LDAP_P((
struct slap_limits *limit, struct berval *bv, ber_len_t buflen ));
LDAP_SLAPD_F (void) limits_destroy LDAP_P(( struct slap_limits **lm ));
/*
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment