X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fldapsync.c;h=cc1ed8705468df15f5d7fc9f0cdd8c4ed3095684;hb=0cc7ed6d550418bb0d936a557e3b9f119ba54a44;hp=9d335860dfbb9c8057d27fc211f02f7bc7a1fd82;hpb=0b2a428a291723a3faff3d07fa578441a926b62d;p=openldap diff --git a/servers/slapd/ldapsync.c b/servers/slapd/ldapsync.c index 9d335860df..cc1ed87054 100644 --- a/servers/slapd/ldapsync.c +++ b/servers/slapd/ldapsync.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 2003-2005 The OpenLDAP Foundation. + * Copyright 2003-2006 The OpenLDAP Foundation. * Portions Copyright 2003 IBM Corporation. * All rights reserved. * @@ -55,7 +55,8 @@ slap_compose_sync_cookie( "csn=%s,rid=%03d", csn->bv_val, rid ); } } - ber_str2bv( cookiestr, strlen(cookiestr), 1, cookie ); + ber_str2bv_x( cookiestr, strlen(cookiestr), 1, cookie, + op ? op->o_tmpmemctx : NULL ); } void @@ -96,20 +97,25 @@ slap_parse_sync_cookie( int valid = 0; char *rid_ptr; char *cval; + char *next; if ( cookie == NULL ) return -1; + if ( cookie->octet_str.bv_len <= STRLENOF( "rid=" ) ) + return -1; + cookie->rid = -1; - if (( rid_ptr = strstr( cookie->octet_str.bv_val, "rid=" )) != NULL ) { - if ( (cval = strchr( rid_ptr, ',' )) != NULL ) { - *cval = '\0'; - } - cookie->rid = atoi( rid_ptr + sizeof("rid=") - 1 ); - if ( cval != NULL ) { - *cval = ','; - } - } else { + /* FIXME: may read past end of cookie->octet_str.bv_val */ + rid_ptr = strstr( cookie->octet_str.bv_val, "rid=" ); + if ( rid_ptr == NULL + || rid_ptr > &cookie->octet_str.bv_val[ cookie->octet_str.bv_len - STRLENOF( "rid=" ) ] ) + { + return -1; + } + + cookie->rid = strtoul( &rid_ptr[ STRLENOF( "rid=" ) ], &next, 10 ); + if ( next == &rid_ptr[ STRLENOF( "rid=" ) ] || ( next[ 0 ] != ',' && next[ 0 ] != '\0' ) ) { return -1; } @@ -122,16 +128,20 @@ slap_parse_sync_cookie( if ( ad == NULL ) break; + if ( csn_ptr >= &cookie->octet_str.bv_val[ cookie->octet_str.bv_len - STRLENOF( "csn=" ) ] ) { + return -1; + } + csn_str = csn_ptr + STRLENOF("csn="); cval = strchr( csn_str, ',' ); - if ( cval ) + if ( cval && cval < &cookie->octet_str.bv_val[ cookie->octet_str.bv_len ] ) csn_str_len = cval - csn_str; else csn_str_len = 0; /* FIXME use csnValidate when it gets implemented */ csn_ptr = strchr( csn_str, '#' ); - if ( !csn_ptr ) break; + if ( !csn_ptr || csn_str >= &cookie->octet_str.bv_val[ cookie->octet_str.bv_len ] ) break; stamp.bv_val = csn_str; stamp.bv_len = csn_ptr - csn_str;