[Fedora-directory-commits] ldapserver/lib/libaccess acl.yy.cpp, 1.4, 1.5 aclscan.l, 1.4, 1.5 authdb.cpp, 1.4, 1.5 lasdns.cpp, 1.5, 1.6 lasip.cpp, 1.5, 1.6 lastod.cpp, 1.4, 1.5

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Tue Apr 11 02:14:56 UTC 2006


Author: rmeggins

Update of /cvs/dirsec/ldapserver/lib/libaccess
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8136/ldapserver/lib/libaccess

Modified Files:
	acl.yy.cpp aclscan.l authdb.cpp lasdns.cpp lasip.cpp 
	lastod.cpp 
Log Message:
Bug(s) fixed: 186280
Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup).  Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value.  I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none



Index: acl.yy.cpp
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/acl.yy.cpp,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- acl.yy.cpp	19 Apr 2005 22:07:47 -0000	1.4
+++ acl.yy.cpp	11 Apr 2006 02:14:53 -0000	1.5
@@ -472,6 +472,7 @@
 #ifdef XP_WIN32
 #include <io.h>
 #endif
+#include "plstr.h"
 
 #include "parse.h"
 #include "aclscan.h"
@@ -1944,7 +1945,7 @@
 	acl_lineno = 1;
 	acl_use_buffer = (filename == NULL) ? 1 : 0 ;
 	if ( filename != NULL ) {
-		strcpy(acl_filename, filename);
+		PL_strncpyz(acl_filename, filename, sizeof(acl_filename));
 #ifdef UTEST
 		aclin = fopen(filename, "r");
 		if ( aclin == NULL ) {


Index: aclscan.l
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/aclscan.l,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- aclscan.l	19 Apr 2005 22:07:47 -0000	1.4
+++ aclscan.l	11 Apr 2006 02:14:53 -0000	1.5
@@ -53,6 +53,7 @@
 #ifdef XP_WIN32
 #include <io.h>
 #endif
+#include "plstr.h"
 
 #include "parse.h"
 #include "aclscan.h"
@@ -328,7 +329,7 @@
 	acl_lineno = 1;
 	acl_use_buffer = (filename == NULL) ? 1 : 0 ;
 	if ( filename != NULL ) {
-		strcpy(acl_filename, filename);
+		PL_strncpyz(acl_filename, filename, sizeof(acl_filename));
 #ifdef UTEST
 		yyin = fopen(filename, "r");
 		if ( yyin == NULL ) {


Index: authdb.cpp
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/authdb.cpp,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- authdb.cpp	19 Apr 2005 22:07:47 -0000	1.4
+++ authdb.cpp	11 Apr 2006 02:14:53 -0000	1.5
@@ -167,10 +167,10 @@
     else {
 	/* treat prefix in the url as dbtype if it has been registered.
 	 */
-	int prefix_len = strcspn(url, ":");
+	size_t prefix_len = strcspn(url, ":");
 	char dbtypestr[BIG_LINE];
 
-	if (prefix_len) {
+	if (prefix_len && (prefix_len < sizeof(dbtypestr))) {
 	    strncpy(dbtypestr, url, prefix_len);
 	    dbtypestr[prefix_len] = 0;
 


Index: lasdns.cpp
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/lasdns.cpp,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- lasdns.cpp	19 Apr 2005 22:07:47 -0000	1.5
+++ lasdns.cpp	11 Apr 2006 02:14:53 -0000	1.6
@@ -132,7 +132,7 @@
 int
 LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int aliasflg)
 {
-    int		delimiter;    	/* length of valid token	*/
+    size_t	delimiter;    	/* length of valid token	*/
     char	token[256];    	/* max length dns name		*/
     int		i;
     int		ipcnt;
@@ -162,9 +162,13 @@
     }
 
     do {
+		size_t maxsize = sizeof(token);
 	/*  Get a single hostname from the pattern string	*/
         delimiter    = strcspn(attr_pattern, ", \t");
-        strncpy(token, attr_pattern, delimiter);
+		if (delimiter >= maxsize) {
+			delimiter = maxsize-1;
+		}
+        PL_strncpyz(token, attr_pattern, delimiter);
         token[delimiter] = '\0';
 
         /*  Skip any white space after the token 		*/


Index: lasip.cpp
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/lasip.cpp,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- lasip.cpp	19 Apr 2005 22:07:47 -0000	1.5
+++ lasip.cpp	11 Apr 2006 02:14:53 -0000	1.6
@@ -95,6 +95,14 @@
     if (strcspn(ipstr, "0123456789.*"))
         return LAS_EVAL_INVALID;
 
+	if (strlen(netmaskstr) >= sizeof(token)) {
+        return LAS_EVAL_INVALID;
+	}
+
+	if (strlen(ipstr) >= sizeof(token)) {
+        return LAS_EVAL_INVALID;
+	}
+
     *netmask = *ip = 0;    /* Start with "don't care"    */
 
     for (i=0; i<4; i++) {
@@ -263,6 +271,10 @@
         delimiter    = strcspn(curptr, ", \t");
         delimiter    = (delimiter <= strlen(curptr)) ? delimiter : strlen(curptr);
         strncpy(token, curptr, delimiter);
+		if (delimiter >= sizeof(token)) {
+            return LAS_EVAL_INVALID;
+		}
+			
         token[delimiter] = '\0';
         /* skip all the white space after the token */
         curptr = strpbrk((curptr+delimiter), "1234567890+.*");
@@ -275,6 +287,9 @@
                 curptr = strpbrk((++curptr), "1234567890.*");
                 delimiter    = strcspn(curptr, ", \t");
                 delimiter    = (delimiter <= strlen(curptr)) ? delimiter : strlen(curptr);
+				if (delimiter >= sizeof(token2)) {
+					return LAS_EVAL_INVALID;
+				}
                 strncpy(token2, curptr, delimiter);
                 token2[delimiter] = '\0';
                 retcode = dotdecimal(token, token2, &ip, &netmask);
@@ -512,7 +527,7 @@
     /* Cannot reach here.  Even a 32 bit mismatch has a conclusion in 
      * the pattern tree.
      */
-    sprintf(ip_str, "%x", ip);
+    sprintf(ip_str, "%x", (unsigned int)ip);
     nserrGenerate(errp, ACLERRINTERNAL, ACLERR5240, ACL_Program, 2, XP_GetAdminStr(DBT_lasipevalReach32BitsWithoutConcl_), ip_str);
     return LAS_EVAL_INVALID;
 }


Index: lastod.cpp
===================================================================
RCS file: /cvs/dirsec/ldapserver/lib/libaccess/lastod.cpp,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- lastod.cpp	19 Apr 2005 22:07:47 -0000	1.4
+++ lastod.cpp	11 Apr 2006 02:14:53 -0000	1.5
@@ -50,6 +50,7 @@
 #include "aclutil.h"
 #include <libaccess/dbtlibaccess.h>
 #include <libaccess/aclerror.h>
+#include "plstr.h"
 
 /*	Day of the week LAS driver
  *	Note that everything is case-insensitive.
@@ -97,7 +98,7 @@
 	strftime(daystr, 4, "%a", localtime(&t));
 #endif
 	makelower(daystr);
-	strcpy(lcl_pattern, pattern);
+	PL_strncpyz(lcl_pattern, pattern, sizeof(lcl_pattern));
 	makelower(lcl_pattern);
 
 	/* 	Compare the value to the pattern	*/
@@ -163,10 +164,18 @@
 			return LAS_EVAL_INVALID;
 		}
 
+		if ((size_t)(dash-pattern) >= sizeof(start)) {
+			nserrGenerate(errp, ACLERRINVAL, ACLERR5610, ACL_Program, 2,  XP_GetAdminStr(DBT_illegalComparatorForTimeOfDayDN_), comparator_string(comparator));
+			return LAS_EVAL_INVALID;
+		}
 		strncpy(start, pattern, dash-pattern);
 		start[dash-pattern]='\0';
 		intstart = atoi(start);
 
+		if (strlen(dash+1) >= sizeof(end)) {
+			nserrGenerate(errp, ACLERRINVAL, ACLERR5610, ACL_Program, 2,  XP_GetAdminStr(DBT_illegalComparatorForTimeOfDayDN_), comparator_string(comparator));
+			return LAS_EVAL_INVALID;
+		}
 		strcpy(end, dash+1);
 		intend = atoi(end);
 




More information about the Fedora-directory-commits mailing list