[Freeipa-devel] [PATCH] 459 Avoid passing non-terminated string to is_master_host
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 7 09:21:45 UTC 2014
On Fri, 07 Mar 2014, Martin Kosek wrote:
>When string is not terminated, queries with corrupted base may be sent
>to LDAP:
>
>... cn=ipa1.example.com<garbage>,cn=masters...
>
>https://fedorahosted.org/freeipa/ticket/4214
>
>--
>Martin Kosek <mkosek at redhat.com>
>Supervisor, Software Engineering - Identity Management Team
>Red Hat Inc.
>From 74bb082c7c286e9911f1a376ed9ce25845857672 Mon Sep 17 00:00:00 2001
>From: Martin Kosek <mkosek at redhat.com>
>Date: Fri, 7 Mar 2014 10:06:52 +0100
>Subject: [PATCH] Avoid passing non-terminated string to is_master_host
>
>When string is not terminated, queries with corrupted base may be sent
>to LDAP:
>
>... cn=ipa1.example.com<garbage>,cn=masters...
>
>https://fedorahosted.org/freeipa/ticket/4214
>---
> daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
>index 9137cd5ad1e6166fd5d6e765fab2c8178ca0587c..c1b018cc80402c2c3488487aee1d9709b902c5b4 100644
>--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
>+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
>@@ -488,13 +488,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
> }
>
> data = krb5_princ_component(ipactx->context, princ, 1);
>- strres = malloc(data->length);
>+ strres = malloc(data->length+1);
> if (strres == NULL) {
> krb5_free_principal(ipactx->kcontext, princ);
> return ENOENT;
> }
>
> memcpy(strres, data->data, data->length);
>+ strres[data->length] = '\0';
> krb5_free_principal(ipactx->kcontext, princ);
>
> /* Only add PAC to TGT to services on IPA masters to allow querying
Obvious ACK.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list