X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fldapsync.c;h=f71bedaf45fdd18f831a3a4a94f0429c3a91916d;hb=23783a9164b525b4c134ec6ede8c6159d9b7eb50;hp=5870635a699c1cdd73cd90348f654260acc2a44a;hpb=d84399e344a00e211a3dd57322ac69b61fffe3ef;p=openldap

diff --git a/servers/slapd/ldapsync.c b/servers/slapd/ldapsync.c
index 5870635a69..f71bedaf45 100644
--- a/servers/slapd/ldapsync.c
+++ b/servers/slapd/ldapsync.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2009 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
  *
@@ -120,20 +120,37 @@ slap_sync_cookie_free(
 }
 
 int
-slap_parse_csn_sid( struct berval *csn )
+slap_parse_csn_sid( struct berval *csnp )
 {
 	char *p, *q;
+	struct berval csn = *csnp;
 	int i;
 
-	p = memchr( csn->bv_val, '#', csn->bv_len );
-	if ( p )
-		p = strchr( p+1, '#' );
+	p = ber_bvchr( &csn, '#' );
 	if ( !p )
 		return -1;
 	p++;
-	i = strtoul( p, &q, 10 );
-	if ( p == q || i > SLAP_SYNC_SID_MAX )
+	csn.bv_len -= p - csn.bv_val;
+	csn.bv_val = p;
+
+	p = ber_bvchr( &csn, '#' );
+	if ( !p )
+		return -1;
+	p++;
+	csn.bv_len -= p - csn.bv_val;
+	csn.bv_val = p;
+
+	q = ber_bvchr( &csn, '#' );
+	if ( !q )
+		return -1;
+
+	csn.bv_len = q - p;
+
+	i = strtol( p, &q, 16 );
+	if ( p == q || q != p + csn.bv_len || i < 0 || i > SLAP_SYNC_SID_MAX ) {
 		i = -1;
+	}
+
 	return i;
 }
 
@@ -157,7 +174,6 @@ slap_parse_sync_cookie(
 {
 	char *csn_ptr;
 	char *csn_str;
-	char *rid_ptr;
 	char *cval;
 	char *next, *end;
 	AttributeDescription *ad = slap_schema.si_ad_modifyTimestamp;
@@ -178,9 +194,14 @@ slap_parse_sync_cookie(
 
 	for ( next=cookie->octet_str.bv_val; next < end; ) {
 		if ( !strncmp( next, "rid=", STRLENOF("rid=") )) {
-			rid_ptr = next;
-			cookie->rid = strtoul( &rid_ptr[ STRLENOF( "rid=" ) ], &next, 10 );
-			if ( next == rid_ptr || next > end || *next != ',' ) {
+			char *rid_ptr = next;
+			cookie->rid = strtol( &rid_ptr[ STRLENOF( "rid=" ) ], &next, 10 );
+			if ( next == rid_ptr ||
+				next > end ||
+				( *next && *next != ',' ) ||
+				cookie->rid < 0 ||
+				cookie->rid > SLAP_SYNC_RID_MAX )
+			{
 				return -1;
 			}
 			if ( *next == ',' ) {
@@ -192,9 +213,15 @@ slap_parse_sync_cookie(
 			continue;
 		}
 		if ( !strncmp( next, "sid=", STRLENOF("sid=") )) {
-			rid_ptr = next;
-			cookie->sid = strtoul( &rid_ptr[ STRLENOF( "sid=" ) ], &next, 16 );
-			if ( next == rid_ptr || next > end || *next != ',' ) {
+			char *sid_ptr = next;
+			sid_ptr = next;
+			cookie->sid = strtol( &sid_ptr[ STRLENOF( "sid=" ) ], &next, 16 );
+			if ( next == sid_ptr ||
+				next > end ||
+				( *next && *next != ',' ) ||
+				cookie->sid < 0 ||
+				cookie->sid > SLAP_SYNC_SID_MAX )
+			{
 				return -1;
 			}
 			if ( *next == ',' ) {