X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fldapsync.c;h=bd4680960944e4ce6adc8eb6184eb8f93c6a98b6;hb=294da7ed11a9a5721b15d0ed81682f123e20cbb0;hp=16abf885b0e599ac1a2618f940539a0a44f719dd;hpb=06212e9de9b3d5bb6cbf047e551c77697842f140;p=openldap

diff --git a/servers/slapd/ldapsync.c b/servers/slapd/ldapsync.c
index 16abf885b0..bd46809609 100644
--- a/servers/slapd/ldapsync.c
+++ b/servers/slapd/ldapsync.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
  *
@@ -120,20 +120,37 @@ slap_sync_cookie_free(
 }
 
 int
-slap_parse_csn_sid( struct berval *csn )
+slap_parse_csn_sid( struct berval *csnp )
 {
 	char *p, *q;
+	struct berval csn = *csnp;
 	int i;
 
-	p = memchr( csn->bv_val, '#', csn->bv_len );
-	if ( p )
-		p = strchr( p+1, '#' );
+	p = ber_bvchr( &csn, '#' );
 	if ( !p )
 		return -1;
 	p++;
-	i = strtoul( p, &q, 10 );
-	if ( p == q || i > SLAP_SYNC_SID_MAX )
+	csn.bv_len -= p - csn.bv_val;
+	csn.bv_val = p;
+
+	p = ber_bvchr( &csn, '#' );
+	if ( !p )
+		return -1;
+	p++;
+	csn.bv_len -= p - csn.bv_val;
+	csn.bv_val = p;
+
+	q = ber_bvchr( &csn, '#' );
+	if ( !q )
+		return -1;
+
+	csn.bv_len = q - p;
+
+	i = strtol( p, &q, 16 );
+	if ( p == q || q != p + csn.bv_len || i < 0 || i > SLAP_SYNC_SID_MAX ) {
 		i = -1;
+	}
+
 	return i;
 }
 
@@ -141,7 +158,6 @@ int *
 slap_parse_csn_sids( BerVarray csns, int numcsns, void *memctx )
 {
 	int i, *ret;
-	char *p, *q;
 
 	ret = slap_sl_malloc( numcsns * sizeof(int), memctx );
 	for ( i=0; i<numcsns; i++ ) {
@@ -158,8 +174,6 @@ slap_parse_sync_cookie(
 {
 	char *csn_ptr;
 	char *csn_str;
-	int csn_str_len;
-	char *rid_ptr;
 	char *cval;
 	char *next, *end;
 	AttributeDescription *ad = slap_schema.si_ad_modifyTimestamp;
@@ -180,9 +194,14 @@ slap_parse_sync_cookie(
 
 	for ( next=cookie->octet_str.bv_val; next < end; ) {
 		if ( !strncmp( next, "rid=", STRLENOF("rid=") )) {
-			rid_ptr = next;
-			cookie->rid = strtoul( &rid_ptr[ STRLENOF( "rid=" ) ], &next, 10 );
-			if ( next == rid_ptr || next > end || *next != ',' ) {
+			char *rid_ptr = next;
+			cookie->rid = strtol( &rid_ptr[ STRLENOF( "rid=" ) ], &next, 10 );
+			if ( next == rid_ptr ||
+				next > end ||
+				( *next && *next != ',' ) ||
+				cookie->rid < 0 ||
+				cookie->rid > SLAP_SYNC_RID_MAX )
+			{
 				return -1;
 			}
 			if ( *next == ',' ) {
@@ -194,9 +213,15 @@ slap_parse_sync_cookie(
 			continue;
 		}
 		if ( !strncmp( next, "sid=", STRLENOF("sid=") )) {
-			rid_ptr = next;
-			cookie->sid = strtoul( &rid_ptr[ STRLENOF( "sid=" ) ], &next, 16 );
-			if ( next == rid_ptr || next > end || *next != ',' ) {
+			char *sid_ptr = next;
+			sid_ptr = next;
+			cookie->sid = strtol( &sid_ptr[ STRLENOF( "sid=" ) ], &next, 16 );
+			if ( next == sid_ptr ||
+				next > end ||
+				( *next && *next != ',' ) ||
+				cookie->sid < 0 ||
+				cookie->sid > SLAP_SYNC_SID_MAX )
+			{
 				return -1;
 			}
 			if ( *next == ',' ) {