add some sanity checks...

diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index 4f90671ec32f5ca3ab160167284bfdb0fa176613..5dfe550d02518847713fa11ee540be16d27b92eb 100644 (file)
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -220,7 +220,7 @@ fe_op_modify( Operation *op, SlapReply *rs )
        char            textbuf[ SLAP_TEXT_BUFLEN ];
        size_t          textlen = sizeof( textbuf );
        
-       if( op->o_req_ndn.bv_len == 0 ) {
+       if( BER_BVISEMPTY( &op->o_req_ndn ) ) {
                Debug( LDAP_DEBUG_ANY, "do_modify: root dse!\n", 0, 0, 0 );
 
                send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -650,7 +650,7 @@ int slap_mods_check(
                         * check that each value is valid per syntax
                         *      and pretty if appropriate
                         */
-                       for ( nvals = 0; ml->sml_values[nvals].bv_val; nvals++ ) {
+                       for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
                                struct berval pval;
 
                                if ( pretty ) {
@@ -713,7 +713,7 @@ int slap_mods_check(
                                ml->sml_nvalues = ber_memalloc_x(
                                        (nvals+1)*sizeof(struct berval), ctx );
 
-                               for ( nvals = 0; ml->sml_values[nvals].bv_val; nvals++ ) {
+                               for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
 #ifdef SLAP_ORDERED_PRETTYNORM
                                        rc = ordered_value_normalize(
                                                SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
@@ -830,7 +830,7 @@ void slap_mods_opattrs(
                        csn = op->o_csn;
                }
                ptr = strchr( csn.bv_val, '#' );
-               if ( ptr ) {
+               if ( ptr && ptr < &csn.bv_val[csn.bv_len] ) {
                        timestamp.bv_len = ptr - csn.bv_val;
                        if ( timestamp.bv_len >= sizeof( timebuf ))
                                timestamp.bv_len = sizeof( timebuf ) - 1;

diff --git a/servers/slapd/value.c b/servers/slapd/value.c
index 280ab4af5736de9697de846b86a41e0d19cdd4d7..2b663b9a34cebdda856a39b13fe3a53c2be61160 100644 (file)
--- a/servers/slapd/value.c
+++ b/servers/slapd/value.c
@@ -424,7 +424,7 @@ ordered_value_validate(
                        char    *ptr;
 
                        ptr = strchr( bv.bv_val, '}' );
-                       if ( ptr == NULL ) {
+                       if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
                                return LDAP_INVALID_SYNTAX;
                        }
                        ptr++;
@@ -466,7 +466,7 @@ ordered_value_pretty(
                        char    *ptr;
 
                        ptr = strchr( bv.bv_val, '}' );
-                       if ( ptr == NULL ) {
+                       if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
                                return LDAP_INVALID_SYNTAX;
                        }
                        ptr++;
@@ -525,11 +525,11 @@ ordered_value_normalize(
        if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED ) {
 
                /* Skip past the assertion index */
-               if ( bv.bv_val[0] == '{' ) {
+               if ( bv.bv_val[ 0 ] == '{' ) {
                        char    *ptr;
 
                        ptr = strchr( bv.bv_val, '}' );
-                       if ( ptr == NULL ) {
+                       if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
                                return LDAP_INVALID_SYNTAX;
                        }
                        ptr++;
@@ -600,7 +600,11 @@ ordered_value_match(
 
                /* Skip past the assertion index */
                if ( bv2.bv_val[0] == '{' ) {
-                       ptr = strchr( bv2.bv_val, '}' ) + 1;
+                       ptr = strchr( bv2.bv_val, '}' );
+                       if ( ptr == NULL || ptr > &bv2.bv_val[ bv2.bv_len ] ) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+                       ptr++;
                        bv2.bv_len -= ptr - bv2.bv_val;
                        bv2.bv_val = ptr;
                        v2 = &bv2;
@@ -627,7 +631,11 @@ ordered_value_match(
                }
                /* Skip past the attribute index */
                if ( bv1.bv_val[0] == '{' ) {
-                       ptr = strchr( bv1.bv_val, '}' ) + 1;
+                       ptr = strchr( bv1.bv_val, '}' );
+                       if ( ptr == NULL || ptr > &bv1.bv_val[ bv1.bv_len ] ) {
+                               return LDAP_INVALID_SYNTAX;
+                       }
+                       ptr++;
                        bv1.bv_len -= ptr - bv1.bv_val;
                        bv1.bv_val = ptr;
                        v1 = &bv1;
@@ -684,9 +692,17 @@ ordered_value_add(
        }
 
        for (i=0; i<vnum; i++) {
+               char    *next;
+
                k = -1;
                if ( vals[i].bv_val[0] == '{' ) {
-                       k = strtol( vals[i].bv_val+1, NULL, 0 );
+                       k = strtol( vals[i].bv_val+1, &next, 0 );
+                       if ( next == vals[i].bv_val + 1 ||
+                               next[ 0 ] != '}' ||
+                               next - vals[i].bv_val > vals[i].bv_len )
+                       {
+                               return -1;
+                       }
                        if ( k > anum ) k = -1;
                }
                /* No index, or index is greater than current number of