openldap2/libldap-sasl_bind-assert.dif

Full_Name: Howard Chu
Version: all < 2.3.29
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.168.84.21)
Submitted by: hyc


Apparently this bug was discovered by Evgeny Legerov but was not previously
reported to anyone on the Project. The bug is now fixed in HEAD and RE23.

Performing a SASL Bind with an authcid longer than 255 characters, with a
space
as the 255th character, will cause the length of the normalized name to be
computed incorrectly, failing to take into account the escaping of the
space
character. (The SASL Bind code truncates all incoming names longer than 255
to
exactly 255 characters.) This triggers an assert in libldap because the
resulting string length doesn't match what we expected it to be.

The fix is in libldap/getdn.c rev 1.134.

The MITRE CVE record for this bug is
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779

--- libraries/libldap/getdn.c	2006/10/28 02:47:58	1.133
+++ libraries/libldap/getdn.c	2006/11/08 22:57:02	1.134
@@ -2016,7 +2016,7 @@
 strval2strlen( struct berval *val, unsigned flags, ber_len_t *len )
 {
 	ber_len_t	l, cl = 1;
-	char		*p;
+	char		*p, *end;
 	int		escaped_byte_len = LDAP_DN_IS_PRETTY( flags ) ? 1 : 3;
 #ifdef PRETTY_ESCAPE
 	int		escaped_ascii_len = LDAP_DN_IS_PRETTY( flags ) ? 2 : 3;
@@ -2030,7 +2030,8 @@
 		return( 0 );
 	}
 
-	for ( l = 0, p = val->bv_val; p < val->bv_val + val->bv_len; p += cl ) {
+	end = val->bv_val + val->bv_len - 1;
+	for ( l = 0, p = val->bv_val; p <= end; p += cl ) {
 
 		/* 
 		 * escape '%x00' 
@@ -2059,7 +2060,7 @@
 		} else if ( LDAP_DN_NEEDESCAPE( p[ 0 ] )
 				|| LDAP_DN_SHOULDESCAPE( p[ 0 ] )
 				|| ( p == val->bv_val && LDAP_DN_NEEDESCAPE_LEAD( p[ 0 ] ) )
-				|| ( !p[ 1 ] && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) ) ) {
+				|| ( p == end && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) ) ) {
 #ifdef PRETTY_ESCAPE
 #if 0
 			if ( LDAP_DN_WILLESCAPE_HEX( flags, p[ 0 ] ) ) {