[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm archive.c, 1.8, 1.9 dbhelp.c, 1.4, 1.5 dllmain.c, 1.4, 1.5 import-merge.c, 1.5, 1.6 import.h, 1.5, 1.6 ldbm_attrcrypt.c, 1.7, 1.8 ldbm_config.c, 1.5, 1.6 ldif2ldbm.c, 1.8, 1.9

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Tue Apr 11 02:14:47 UTC 2006


Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8136/ldapserver/ldap/servers/slapd/back-ldbm

Modified Files:
	archive.c dbhelp.c dllmain.c import-merge.c import.h 
	ldbm_attrcrypt.c ldbm_config.c ldif2ldbm.c 
Log Message:
Bug(s) fixed: 186280
Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup).  Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value.  I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none



Index: archive.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/archive.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- archive.c	12 Jan 2006 00:29:04 -0000	1.8
+++ archive.c	11 Apr 2006 02:14:45 -0000	1.9
@@ -207,7 +207,7 @@
                 c = *p;
                 *p = '\0';
             }
-            bakup_dir = slapi_ch_smprintf("%s%ctmp_%010d", directory, c, time(0));
+            bakup_dir = slapi_ch_smprintf("%s%ctmp_%010ld", directory, c, time(0));
             LDAPDebug( LDAP_DEBUG_ANY,
                       "archive2db: backup dir: %s\n", bakup_dir, 0, 0);
             *p = c;
@@ -315,10 +315,10 @@
             if (task) {
                 slapi_task_log_notice(task,
                             "Failed to rename \"%s\" to \"%s\".",
-                            directory, dir_bak, 0);
+                            directory, dir_bak);
                 slapi_task_log_notice(task,
                             SLAPI_COMPONENT_NAME_NSPR " error %d (%s)",
-                            prerr, slapd_pr_strerror(prerr), 0);
+                            prerr, slapd_pr_strerror(prerr));
             }
             return_value = -1;
             goto out;


Index: dbhelp.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dbhelp.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- dbhelp.c	19 Apr 2005 22:07:37 -0000	1.4
+++ dbhelp.c	11 Apr 2006 02:14:45 -0000	1.5
@@ -51,7 +51,7 @@
 	DB *source_file = NULL;
 	DB *destination_file = NULL;
 	DBC *source_cursor = NULL;
-	int dbtype = 0;
+	DBTYPE dbtype = 0;
 	int dbflags = 0;
 	int dbpagesize = 0;
 	int cursor_flag = 0;


Index: dllmain.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dllmain.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- dllmain.c	19 Apr 2005 22:07:38 -0000	1.4
+++ dllmain.c	11 Apr 2006 02:14:45 -0000	1.5
@@ -136,6 +136,7 @@
 		va_list ap;
 		va_start (ap, fmt);
 		_snprintf (debugBuf, sizeof(debugBuf), fmt, ap);
+		debugBuf[sizeof(debugBuf)-1] = 0;
 		va_end (ap);
 
 		OutputDebugString (debugBuf);


Index: import-merge.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/import-merge.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- import-merge.c	19 Apr 2005 22:07:38 -0000	1.5
+++ import-merge.c	11 Apr 2006 02:14:45 -0000	1.6
@@ -654,8 +654,7 @@
     int passes = job->current_pass;
 
     if (1 == job->number_indexers) {
-	import_log_notice(job, "Beginning %d-way merge of one file...", passes,
-			  job->number_indexers);
+	import_log_notice(job, "Beginning %d-way merge of one file...", passes);
     } else {
 	import_log_notice(job, "Beginning %d-way merge of up to %lu files...",
 			  passes, job->number_indexers);


Index: import.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/import.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- import.h	6 Dec 2005 18:28:14 -0000	1.5
+++ import.h	11 Apr 2006 02:14:45 -0000	1.6
@@ -203,7 +203,13 @@
 /* import.c */
 FifoItem *import_fifo_fetch(ImportJob *job, ID id, int worker, int shift);
 void import_free_job(ImportJob *job);
-void import_log_notice(ImportJob *job, char *format, ...);
+void import_log_notice(ImportJob *job, char *format, ...)
+#ifdef __GNUC__ 
+        __attribute__ ((format (printf, 2, 3)));
+#else
+        ;
+#endif
+
 void import_abort_all(ImportJob *job, int wait_for_them);
 int import_entry_belongs_here(Slapi_Entry *e, backend *be);
 int import_make_merge_filenames(char *directory, char *indexname, int pass,


Index: ldbm_attrcrypt.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ldbm_attrcrypt.c	19 Apr 2005 22:07:38 -0000	1.7
+++ ldbm_attrcrypt.c	11 Apr 2006 02:14:45 -0000	1.8
@@ -199,7 +199,7 @@
 		key_as_berval.bv_len = wrapped_symmetric_key.len;
 		key_value = slapi_value_new_berval(&key_as_berval);
 		/* key_value is now a copy of key_as_berval - free wrapped_symmetric_key */
-		slapi_ch_free(&wrapped_symmetric_key.data);
+		slapi_ch_free_string((char **)&wrapped_symmetric_key.data);
 		slapi_entry_add_value(e, KEY_ATTRIBUTE_NAME, key_value);
 		slapi_value_free(&key_value);
 		/* Store the entry */


Index: ldbm_config.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_config.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- ldbm_config.c	19 Apr 2005 22:07:38 -0000	1.5
+++ ldbm_config.c	11 Apr 2006 02:14:45 -0000	1.6
@@ -1371,6 +1371,7 @@
 void ldbm_config_get(void *arg, config_info *config, char *buf)
 {
     char *tmp_string;
+	size_t val = 0;
     
     if (config == NULL) {
         buf[0] = '\0';
@@ -1387,7 +1388,8 @@
         sprintf(buf, "%ld", (long) config->config_get_fn(arg));
         break;
     case CONFIG_TYPE_SIZE_T:
-        sprintf(buf, "%lu", (size_t) config->config_get_fn(arg));
+		val = (size_t) config->config_get_fn(arg);
+        sprintf(buf, "%lu", val);
         break;
     case CONFIG_TYPE_STRING:
         /* Remember the get function for strings returns memory


Index: ldif2ldbm.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ldif2ldbm.c	16 Mar 2006 03:02:33 -0000	1.8
+++ ldif2ldbm.c	11 Apr 2006 02:14:45 -0000	1.9
@@ -1307,7 +1307,7 @@
     if (NULL == inst) {
         if (task) {
             slapi_task_log_notice(task, "Unknown ldbm instance %s",
-                                  instance_name, 0, 0);
+                                  instance_name);
         }
         LDAPDebug(LDAP_DEBUG_ANY, "Unknown ldbm instance %s\n",
                   instance_name, 0, 0);
@@ -2081,7 +2081,7 @@
             {
                 time_t tm = time(0);    /* long */
 
-                char *tmpname = slapi_ch_smprintf("%s/%d", dest_dir, tm);
+                char *tmpname = slapi_ch_smprintf("%s/%ld", dest_dir, tm);
                 dest_dir = tmpname;
             }
             else    /* not a directory */




More information about the Fedora-directory-commits mailing list