openldap2/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif

From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 6 Oct 2011 14:05:31 -0700
Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059)

Detected by valgrind

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 67508fc..65a7e2e 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
 		}
 		nvalue.bv_val[nvalue.bv_len] = '\0';
 
-	} else {
+	} else if ( tmp.bv_len )  {
 		/* string of all spaces is treated as one space */
 		nvalue.bv_val[0] = ' ';
 		nvalue.bv_val[1] = '\0';
 		nvalue.bv_len = 1;
-	}
+	}	/* should never be entered with 0-length val */
 
 	*normalized = nvalue;
 	return LDAP_SUCCESS;
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
 	}
 	lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
 
-	normalized->bv_len = l;
+	normalized->bv_len = c = l;
 
-	for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
+	for ( l = 0; l <= c; l++ ) {
 		/* NOTE: we directly normalize each line,
 		 * without unescaping the values, since the special
 		 * values '\24' ('$') and '\5C' ('\') are not affected
 		 * by normalization */
+		if ( !lines[l].bv_len ) {
+			nlines[l].bv_len = 0;
+			nlines[l].bv_val = NULL;
+			continue;
+		}
 		rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
 		if ( rc != LDAP_SUCCESS ) {
 			rc = LDAP_INVALID_SYNTAX;
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
 	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
 
 	p = normalized->bv_val;
-	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
+	for ( l = 0; l <= c ; l++ ) {
 		p = lutil_strbvcopy( p, &nlines[l] );
 		*p++ = '$';
 	}
-- 
1.7.6.4
Accepting request 89386 from home:rhafer:branches:network:ldap bnc#716895, bnc#719803 and bnc#724201 OBS-URL: https://build.opensuse.org/request/show/89386 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=71 2011-10-26 15:35:50 +02:00			`From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001`
			`From: Howard Chu <hyc@openldap.org>`
			`Date: Thu, 6 Oct 2011 14:05:31 -0700`
			`Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059)`

			`Detected by valgrind`

			`diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c`
			`index 67508fc..65a7e2e 100644`
			`--- a/servers/slapd/schema_init.c`
			`+++ b/servers/slapd/schema_init.c`
			`@@ -1852,12 +1852,12 @@ UTF8StringNormalize(`
			`}`
			`nvalue.bv_val[nvalue.bv_len] = '\0';`

			`- } else {`
			`+ } else if ( tmp.bv_len ) {`
			`/* string of all spaces is treated as one space */`
			`nvalue.bv_val[0] = ' ';`
			`nvalue.bv_val[1] = '\0';`
			`nvalue.bv_len = 1;`
			`- }`
			`+ } /* should never be entered with 0-length val */`

			`*normalized = nvalue;`
			`return LDAP_SUCCESS;`
			`@@ -2331,13 +2331,18 @@ postalAddressNormalize(`
			`}`
			`lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;`

			`- normalized->bv_len = l;`
			`+ normalized->bv_len = c = l;`

			`- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {`
			`+ for ( l = 0; l <= c; l++ ) {`
			`/* NOTE: we directly normalize each line,`
			`* without unescaping the values, since the special`
			`* values '\24' ('$') and '\5C' ('\') are not affected`
			`* by normalization */`
			`+ if ( !lines[l].bv_len ) {`
			`+ nlines[l].bv_len = 0;`
			`+ nlines[l].bv_val = NULL;`
			`+ continue;`
			`+ }`
			`rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );`
			`if ( rc != LDAP_SUCCESS ) {`
			`rc = LDAP_INVALID_SYNTAX;`
			`@@ -2350,7 +2355,7 @@ postalAddressNormalize(`
			`normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );`

			`p = normalized->bv_val;`
			`- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {`
			`+ for ( l = 0; l <= c ; l++ ) {`
			`p = lutil_strbvcopy( p, &nlines[l] );`
			`*p++ = '$';`
			`}`
			`--`
			`1.7.6.4`