1668 ldap format string issues when merging search descriptors

Reviewed by: Richard Lowe <richlowe@richlowe.net> Reviewed by: Gordon Ross <gwr@nexenta.com> Reviewed by: Michael Speer <michael.speer@pluribusnetworks.com> Approved by: Richard Lowe <richlowe@richlowe.net>
author: Richard Lowe <richlowe@richlowe.net> 2012-01-23 17:49:47 -0500
committer: Richard Lowe <richlowe@richlowe.net> 2012-01-23 17:49:47 -0500
commit: 528b7d8ba791f2da280ff1ddd45c61eb47a2744e (patch)
tree: d50108678ae98c650f7b6e718f578420a383a5c0 /usr/src
parent: cd0837cc943a814d8b2e7ff44d61265f67220f66 (diff)
download: illumos-gate-528b7d8ba791f2da280ff1ddd45c61eb47a2744e.tar.gz
4 files changed, 74 insertions, 16 deletions
diff --git a/usr/src/cmd/idmap/idmapd/nldaputils.c b/usr/src/cmd/idmap/idmapd/nldaputils.c
index 2895789bd3..e9e94f75f3 100644
--- a/usr/src/cmd/idmap/idmapd/nldaputils.c
+++ b/usr/src/cmd/idmap/idmapd/nldaputils.c
@@ -21,6 +21,7 @@
 
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
  */
 
 /*
@@ -147,11 +148,28 @@ merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 	char **realfilter, const void *userdata)
 {
 	int	len;
+	char *checker;
+
 	if (realfilter == NULL)
 		return (NS_LDAP_INVALID_PARAM);
 	*realfilter = NULL;
 	if (desc == NULL || desc->filter == NULL || userdata == NULL)
 		return (NS_LDAP_INVALID_PARAM);
+
+	/* Parameter check.  We only want one %s here, otherwise bail. */
+	len = 0;	/* Reuse 'len' as "Number of %s hits"... */
+	checker = (char *)userdata;
+	do {
+		checker = strchr(checker, '%');
+		if (checker != NULL) {
+			if (len > 0 || *(checker + 1) != 's')
+				return (NS_LDAP_INVALID_PARAM);
+			len++;	/* Got our %s. */
+			checker += 2;
+		} else if (len != 1)
+			return (NS_LDAP_INVALID_PARAM);
+	} while (checker != NULL);
+
 	len = strlen(userdata) + strlen(desc->filter) + 1;
 	*realfilter = (char *)malloc(len);
 	if (*realfilter == NULL)
diff --git a/usr/src/cmd/ldap/ns_ldap/ldaplist.c b/usr/src/cmd/ldap/ns_ldap/ldaplist.c
index cfa74ae7f2..162639d119 100644
--- a/usr/src/cmd/ldap/ns_ldap/ldaplist.c
+++ b/usr/src/cmd/ldap/ns_ldap/ldaplist.c
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
  */
 
 
@@ -148,6 +149,7 @@ merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 			const void *userdata)
 {
 	int	len;
+	char *checker;
 
 	/* sanity check */
 	if (realfilter == NULL)
@@ -158,6 +160,20 @@ merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 	    userdata == NULL)
 		return (NS_LDAP_INVALID_PARAM);
 
+	/* Parameter check.  We only want one %s here, otherwise bail. */
+	len = 0;	/* Reuse 'len' as "Number of %s hits"... */
+	checker = (char *)userdata;
+	do {
+		checker = strchr(checker, '%');
+		if (checker != NULL) {
+			if (len > 0 || *(checker + 1) != 's')
+				return (NS_LDAP_INVALID_PARAM);
+			len++;	/* Got our %s. */
+			checker += 2;
+		} else if (len != 1)
+			return (NS_LDAP_INVALID_PARAM);
+	} while (checker != NULL);
+
 	len = strlen(userdata) + strlen(desc->filter) + 1;
 
 	*realfilter = (char *)malloc(len);
diff --git a/usr/src/lib/libsldap/common/ns_getalias.c b/usr/src/lib/libsldap/common/ns_getalias.c
index 920d85aad8..7b06ded619 100644
--- a/usr/src/lib/libsldap/common/ns_getalias.c
+++ b/usr/src/lib/libsldap/common/ns_getalias.c
@@ -22,10 +22,9 @@
 /*
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <stdlib.h>
 #include <libintl.h>
 #include <stdio.h>
@@ -72,24 +71,37 @@ __s_api_merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 			const void *userdata)
 {
 	int	len;
+	char *checker;
 
 	/* sanity check */
 	if (realfilter == NULL)
 		return (NS_LDAP_INVALID_PARAM);
 	*realfilter = NULL;
 
-	if (desc == NULL || desc->filter == NULL ||
-			userdata == NULL)
+	if (desc == NULL || desc->filter == NULL || userdata == NULL)
 		return (NS_LDAP_INVALID_PARAM);
 
+	/* Parameter check.  We only want one %s here, otherwise bail. */
+	len = 0;	/* Reuse 'len' as "Number of %s hits"... */
+	checker = (char *)userdata;
+	do {
+		checker = strchr(checker, '%');
+		if (checker != NULL) {
+			if (len > 0 || *(checker + 1) != 's')
+				return (NS_LDAP_INVALID_PARAM);
+			len++;	/* Got our %s. */
+			checker += 2;
+		} else if (len != 1)
+			return (NS_LDAP_INVALID_PARAM);
+	} while (checker != NULL);
+
 	len = strlen(userdata) + strlen(desc->filter) + 1;
 
 	*realfilter = (char *)malloc(len);
 	if (*realfilter == NULL)
 		return (NS_LDAP_MEMORY);
 
-	(void) sprintf(*realfilter, (char *)userdata,
-			desc->filter);
+	(void) sprintf(*realfilter, (char *)userdata, desc->filter);
 
 	return (NS_LDAP_SUCCESS);
 }
@@ -142,9 +154,9 @@ __getldapaliasbyname(char *alias, int *retval)
 
 	/* should we do hardlookup */
 	rc = __ns_ldap_list(service, (const char *)filter,
-		__s_api_merge_SSD_filter,
-		(const char **)attribute, NULL, 0, &result,
-		&errorp, NULL, userdata);
+	    __s_api_merge_SSD_filter,
+	    (const char **)attribute, NULL, 0, &result,
+	    &errorp, NULL, userdata);
 
 	if (rc == NS_LDAP_NOTFOUND) {
 		errno = ENOENT;
@@ -157,7 +169,7 @@ __getldapaliasbyname(char *alias, int *retval)
 		if (errorp) {
 			if (errorp->message)
 				(void) fprintf(stderr, "%s (%s)\n", p,
-					errorp->message);
+				    errorp->message);
 		} else
 			(void) fprintf(stderr, "%s\n", p);
 #endif /* DEBUG */
diff --git a/usr/src/lib/nsswitch/ldap/common/ldap_utils.c b/usr/src/lib/nsswitch/ldap/common/ldap_utils.c
index e63c800387..6cf1611431 100644
--- a/usr/src/lib/nsswitch/ldap/common/ldap_utils.c
+++ b/usr/src/lib/nsswitch/ldap/common/ldap_utils.c
@@ -22,10 +22,9 @@
 /*
  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <sys/systeminfo.h>
 #include "ldap_common.h"
 
@@ -215,6 +214,7 @@ _merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 			const void *userdata)
 {
 	int	len;
+	char *checker;
 
 #ifdef DEBUG
 	(void) fprintf(stdout, "\n[ldap_utils.c: _merge_SSD_filter]\n");
@@ -225,10 +225,23 @@ _merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 		return (NS_LDAP_INVALID_PARAM);
 	*realfilter = NULL;
 
-	if (desc == NULL || desc->filter == NULL ||
-			userdata == NULL)
+	if (desc == NULL || desc->filter == NULL || userdata == NULL)
 		return (NS_LDAP_INVALID_PARAM);
 
+	/* Parameter check.  We only want one %s here, otherwise bail. */
+	len = 0;	/* Reuse 'len' as "Number of %s hits"... */
+	checker = (char *)userdata;
+	do {
+		checker = strchr(checker, '%');
+		if (checker != NULL) {
+			if (len > 0 || *(checker + 1) != 's')
+				return (NS_LDAP_INVALID_PARAM);
+			len++;	/* Got our %s. */
+			checker += 2;
+		} else if (len != 1)
+			return (NS_LDAP_INVALID_PARAM);
+	} while (checker != NULL);
+
 #ifdef DEBUG
 	(void) fprintf(stdout, "\n[userdata: %s]\n", (char *)userdata);
 	(void) fprintf(stdout, "\n[SSD filter: %s]\n", desc->filter);
@@ -240,8 +253,7 @@ _merge_SSD_filter(const ns_ldap_search_desc_t *desc,
 	if (*realfilter == NULL)
 		return (NS_LDAP_MEMORY);
 
-	(void) sprintf(*realfilter, (char *)userdata,
-			desc->filter);
+	(void) sprintf(*realfilter, (char *)userdata, desc->filter);
 
 #ifdef DEBUG
 	(void) fprintf(stdout, "\n[new filter: %s]\n", *realfilter);
author	Richard Lowe <richlowe@richlowe.net>	2012-01-23 17:49:47 -0500
committer	Richard Lowe <richlowe@richlowe.net>	2012-01-23 17:49:47 -0500
commit	528b7d8ba791f2da280ff1ddd45c61eb47a2744e (patch)
tree	d50108678ae98c650f7b6e718f578420a383a5c0 /usr/src
parent	cd0837cc943a814d8b2e7ff44d61265f67220f66 (diff)
download	illumos-gate-528b7d8ba791f2da280ff1ddd45c61eb47a2744e.tar.gz