From: Hallvard Furuseth <hallvard@openldap.org>
Date: Wed, 5 Apr 2006 20:48:15 +0000 (+0000)
Subject: Protect from sprintf buffer overrun in ldapsearch -f file "(cn=%100000s)"
X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~6
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=02cba98c0b2bb89fff3db7b66b0a319801b4b324;p=openldap

Protect from sprintf buffer overrun in ldapsearch -f file "(cn=%100000s)"
---

diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
index a85e741190..6eca59dbc7 100644
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@@ -1049,13 +1049,18 @@ static int dosearch(
 	int			cancel_msgid = -1;
 
 	if( filtpatt != NULL ) {
-		filter = malloc( strlen( filtpatt ) + strlen( value ) );
+		size_t max_fsize = strlen( filtpatt ) + strlen( value ) + 1;
+		filter = malloc( max_fsize );
 		if( filter == NULL ) {
 			perror( "malloc" );
 			return EXIT_FAILURE;
 		}
 
-		sprintf( filter, filtpatt, value );
+		if( snprintf( filter, max_fsize, filtpatt, value ) >= max_fsize ) {
+			fprintf( stderr, "Bad filter pattern: \"%s\"\n", filtpatt );
+			free( filter );
+			return EXIT_FAILURE;
+		}
 
 		if ( verbose ) {
 			fprintf( stderr, _("filter: %s\n"), filter );