more unparsing buffer overflow cleanup

4a86a767 · Pierangelo Masarati · 81bafb99 · 4a86a767 · 4a86a767 · 4a86a767
Commit 4a86a767 authored Dec 20, 2005 by Pierangelo Masarati
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -741,7 +741,8 @@ config_generic(ConfigArgs *c) {
 						break;
 					}
 					bv.bv_val = buf + bv.bv_len;
-					limits_unparse( c->be->be_limits[i], &bv );
+					limits_unparse( c->be->be_limits[i], &bv,
+							sizeof( buf ) - ( bv.bv_val - buf ) );
 					bv.bv_len += bv.bv_val - buf;
 					bv.bv_val = buf;
 					value_add_one( &c->rvalue_vals, &bv );
@@ -1597,7 +1598,7 @@ config_sizelimit(ConfigArgs *c) {
 		struct berval bv;
 		bv.bv_val = buf;
 		bv.bv_len = 0;
-		limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv );
+		limits_unparse_one( lim, SLAP_LIMIT_SIZE, &bv, sizeof( buf ) );
 		if ( !BER_BVISEMPTY( &bv ))
 			value_add_one( &c->rvalue_vals, &bv );
 		else
@@ -1648,7 +1649,7 @@ config_timelimit(ConfigArgs *c) {
 		struct berval bv;
 		bv.bv_val = buf;
 		bv.bv_len = 0;
-		limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv );
+		limits_unparse_one( lim, SLAP_LIMIT_TIME, &bv, sizeof( buf ) );
 		if ( !BER_BVISEMPTY( &bv ))
 			value_add_one( &c->rvalue_vals, &bv );
 		else

--- a/servers/slapd/limits.c
+++ b/servers/slapd/limits.c
@@ -873,19 +873,26 @@ static const char *lmpats[] = {
 	"*"
 };

+#define WHATSLEFT	( buflen - ( ptr - bv->bv_val ) )
+
 /* Caller must provide an adequately sized buffer in bv */
-void
-limits_unparse( struct slap_limits *lim, struct berval *bv )
+int
+limits_unparse( struct slap_limits *lim, struct berval *bv, ber_len_t buflen )
 {
 	struct berval btmp;
 	char *ptr;
 	int lm;

-	if ( !bv || !bv->bv_val ) return;
+	if ( !bv || !bv->bv_val ) return -1;

 	ptr = bv->bv_val;

 	if (( lim->lm_flags & SLAP_LIMITS_TYPE_MASK ) == SLAP_LIMITS_TYPE_GROUP ) {
+		if ( WHATSLEFT <= STRLENOF( "group/" "/" "=\"" "\"" )
+				+ lim->lm_group_oc->soc_cname.bv_len
+				+ lim->lm_group_ad->ad_cname.bv_len
+				+ lim->lm_pat.bv_len ) return -1;
+
 		ptr = lutil_strcopy( ptr, "group/" );
 		ptr = lutil_strcopy( ptr, lim->lm_group_oc->soc_cname.bv_val );
 		*ptr++ = '/';
@@ -899,6 +906,7 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
 		case SLAP_LIMITS_ANONYMOUS:
 		case SLAP_LIMITS_USERS:
 		case SLAP_LIMITS_ANY:
+			if ( WHATSLEFT <= strlen( lmpats[lm] ) ) return -1;
 			ptr = lutil_strcopy( ptr, lmpats[lm] );
 			break;
 		case SLAP_LIMITS_UNDEFINED:
@@ -907,6 +915,8 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
 		case SLAP_LIMITS_SUBTREE:
 		case SLAP_LIMITS_CHILDREN:
 		case SLAP_LIMITS_REGEX:
+			if ( WHATSLEFT <= STRLENOF( "dn." "=" "\"" "\"" )
+					+ strlen( lmpats[lm] ) + lim->lm_pat.bv_len ) return -1;
 			ptr = lutil_strcopy( ptr, "dn." );
 			ptr = lutil_strcopy( ptr, lmpats[lm] );
 			*ptr++ = '=';
@@ -916,17 +926,24 @@ limits_unparse( struct slap_limits *lim, struct berval *bv )
 			break;
 		}
 	}
+	if ( WHATSLEFT <= STRLENOF( " " ) ) return -1;
 	*ptr++ = ' ';
 	bv->bv_len = ptr - bv->bv_val;
 	btmp.bv_val = ptr;
 	btmp.bv_len = 0;
-	limits_unparse_one( &lim->lm_limits, SLAP_LIMIT_SIZE|SLAP_LIMIT_TIME, &btmp );
+	if ( limits_unparse_one( &lim->lm_limits,
+			SLAP_LIMIT_SIZE|SLAP_LIMIT_TIME,
+			&btmp, WHATSLEFT ) )
+	{
+		return -1;
+	}
 	bv->bv_len += btmp.bv_len;
+	return 0;
 }

 /* Caller must provide an adequately sized buffer in bv */
-void
-limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv )
+int
+limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv, ber_len_t buflen )
 {
 	char *ptr;

@@ -940,89 +957,126 @@ limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv )
 			/* If same as global limit, drop it */
 			if ( lim != &frontendDB->be_def_limit &&
 				lim->lms_s_soft == frontendDB->be_def_limit.lms_s_soft )
+			{
 				goto s_hard;
 			/* If there's also a hard limit, fully qualify this one */
-			else if ( lim->lms_s_hard )
+			} else if ( lim->lms_s_hard ) {
+				if ( WHATSLEFT <= STRLENOF( " size.soft=" ) ) return -1;
 				ptr = lutil_strcopy( ptr, " size.soft=" );

 			/* If doing both size & time, qualify this */
-			else if ( which & SLAP_LIMIT_TIME )
+			} else if ( which & SLAP_LIMIT_TIME ) {
+				if ( WHATSLEFT <= STRLENOF( " size=" ) ) return -1;
 				ptr = lutil_strcopy( ptr, " size=" );
+			}

-			if ( lim->lms_s_soft == -1 )
+			if ( lim->lms_s_soft == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_s_soft );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_soft );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 s_hard:
 		if ( lim->lms_s_hard ) {
+			if ( WHATSLEFT <= STRLENOF( " size.hard=" ) ) return -1;
 			ptr = lutil_strcopy( ptr, " size.hard=" );
-			if ( lim->lms_s_hard == -1 )
+			if ( lim->lms_s_hard == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_s_hard );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_hard );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 		if ( lim->lms_s_unchecked != -1 ) {
+			if ( WHATSLEFT <= STRLENOF( " size.unchecked=" ) ) return -1;
 			ptr = lutil_strcopy( ptr, " size.unchecked=" );
-			if ( lim->lms_s_unchecked == 0 )
+			if ( lim->lms_s_unchecked == 0 ) {
+				if ( WHATSLEFT <= STRLENOF( "disabled" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "disabled" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_s_unchecked );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_unchecked );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 		if ( lim->lms_s_pr_hide ) {
+			if ( WHATSLEFT <= STRLENOF( " size.pr=noEstimate " ) ) return -1;
 			ptr = lutil_strcopy( ptr, " size.pr=noEstimate " );
 		}
 		if ( lim->lms_s_pr ) {
+			if ( WHATSLEFT <= STRLENOF( " size.pr=" ) ) return -1;
 			ptr = lutil_strcopy( ptr, " size.pr=" );
-			if ( lim->lms_s_pr == -1 )
+			if ( lim->lms_s_pr == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_s_pr );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_pr );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 		if ( lim->lms_s_pr_total ) {
+			if ( WHATSLEFT <= STRLENOF( " size.prtotal=" ) ) return -1;
 			ptr = lutil_strcopy( ptr, " size.prtotal=" );
-			if ( lim->lms_s_pr_total == -1 )
+			if ( lim->lms_s_pr_total == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else if ( lim->lms_s_pr_total == -2 )
+			} else if ( lim->lms_s_pr_total == -2 ) {
+				if ( WHATSLEFT <= STRLENOF( "disabled" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "disabled" );
-			else 
-				ptr += sprintf( ptr, "%d", lim->lms_s_pr_total );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_s_pr_total );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 	}
+
 	if ( which & SLAP_LIMIT_TIME ) {
 		if ( lim->lms_t_soft != SLAPD_DEFAULT_TIMELIMIT ) {

 			/* If same as global limit, drop it */
 			if ( lim != &frontendDB->be_def_limit &&
 				lim->lms_t_soft == frontendDB->be_def_limit.lms_t_soft )
+			{
 				goto t_hard;

 			/* If there's also a hard limit, fully qualify this one */
-			else if ( lim->lms_t_hard ) 
+			} else if ( lim->lms_t_hard ) {
+				if ( WHATSLEFT <= STRLENOF( " time.soft=" ) ) return -1;
 				ptr = lutil_strcopy( ptr, " time.soft=" );

 			/* If doing both size & time, qualify this */
-			else if ( which & SLAP_LIMIT_SIZE )
+			} else if ( which & SLAP_LIMIT_SIZE ) {
+				if ( WHATSLEFT <= STRLENOF( " time=" ) ) return -1;
 				ptr = lutil_strcopy( ptr, " time=" );
+			}

-			if ( lim->lms_t_soft == -1 )
+			if ( lim->lms_t_soft == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_t_soft );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_t_soft );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 t_hard:
 		if ( lim->lms_t_hard ) {
+			if ( WHATSLEFT <= STRLENOF( " time.hard=" ) ) return -1;
 			ptr = lutil_strcopy( ptr, " time.hard=" );
-			if ( lim->lms_t_hard == -1 )
+			if ( lim->lms_t_hard == -1 ) {
+				if ( WHATSLEFT <= STRLENOF( "unlimited" ) ) return -1;
 				ptr = lutil_strcopy( ptr, "unlimited" );
-			else
-				ptr += sprintf( ptr, "%d", lim->lms_t_hard );
+			} else {
+				ptr += snprintf( ptr, WHATSLEFT, "%d", lim->lms_t_hard );
+				if ( WHATSLEFT < 0 ) return -1;
+			}
 			*ptr++ = ' ';
 		}
 	}

--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -992,10 +992,10 @@ LDAP_SLAPD_F (int) limits_parse_one LDAP_P(( const char *arg,
 	struct slap_limits_set *limit ));
 LDAP_SLAPD_F (int) limits_check LDAP_P((
 	Operation *op, SlapReply *rs ));
-LDAP_SLAPD_F (void) limits_unparse_one LDAP_P(( 
-	struct slap_limits_set *limit, int which, struct berval *bv ));
-LDAP_SLAPD_F (void) limits_unparse LDAP_P(( 
-	struct slap_limits *limit, struct berval *bv ));
+LDAP_SLAPD_F (int) limits_unparse_one LDAP_P(( 
+	struct slap_limits_set *limit, int which, struct berval *bv, ber_len_t buflen ));
+LDAP_SLAPD_F (int) limits_unparse LDAP_P(( 
+	struct slap_limits *limit, struct berval *bv, ber_len_t buflen ));
 LDAP_SLAPD_F (void) limits_destroy LDAP_P(( struct slap_limits **lm ));

 /*