From: Howard Chu <hyc@openldap.org>
Date: Mon, 8 May 2006 12:43:01 +0000 (+0000)
Subject: Fix strchrlen running past end of berval
X-Git-Tag: OPENLDAP_REL_ENG_2_4_1ALPHA~2^2~70
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f7115e761c6ef3bb1e720d82faaee62dd173aeec;p=openldap

Fix strchrlen running past end of berval
---

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index 4ac9b6a8c0..46be761d9f 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -125,15 +125,16 @@ int slap_str2ad(
 
 static char *strchrlen(
 	const char *p, 
+	const char *end,
 	const char ch, 
 	int *len )
 {
 	int i;
 
-	for( i=0; p[i]; i++ ) {
-		if( p[i] == ch ) {
+	for( i=0; *p && p < end; i++,p++ ) {
+		if( *p == ch ) {
 			*len = i;
-			return (char *) &p[i];
+			return (char *) p;
 		}
 	}
 
@@ -148,7 +149,7 @@ int slap_bv2ad(
 {
 	int rtn = LDAP_UNDEFINED_TYPE;
 	AttributeDescription desc, *d2;
-	char *name, *options;
+	char *name, *options, *optn;
 	char *opt, *next;
 	int ntags;
 	int tagslen;
@@ -201,11 +202,12 @@ int slap_bv2ad(
 	ntags = 0;
 	memset( tags, 0, sizeof( tags ));
 	tagslen = 0;
+	optn = bv->bv_val + bv->bv_len;
 
 	for( opt=options; opt != NULL; opt=next ) {
 		int optlen;
 		opt++; 
-		next = strchrlen( opt, ';', &optlen );
+		next = strchrlen( opt, optn, ';', &optlen );
 
 		if( optlen == 0 ) {
 			*text = "zero length option is invalid";
@@ -443,19 +445,21 @@ static int is_ad_subtags(
 	struct berval *subtagsbv, 
 	struct berval *suptagsbv )
 {
-	const char *suptags, *supp, *supdelimp;
-	const char *subtags, *subp, *subdelimp;
+	const char *suptags, *supp, *supdelimp, *supn;
+	const char *subtags, *subp, *subdelimp, *subn;
 	int  suplen, sublen;
 
 	subtags =subtagsbv->bv_val;
 	suptags =suptagsbv->bv_val;
+	subn = subtags + subtagsbv->bv_len;
+	supn = suptags + suptagsbv->bv_len;
 
 	for( supp=suptags ; supp; supp=supdelimp ) {
-		supdelimp = strchrlen( supp, ';', &suplen );
+		supdelimp = strchrlen( supp, supn, ';', &suplen );
 		if( supdelimp ) supdelimp++;
 
 		for( subp=subtags ; subp; subp=subdelimp ) {
-			subdelimp = strchrlen( subp, ';', &sublen );
+			subdelimp = strchrlen( subp, subn, ';', &sublen );
 			if( subdelimp ) subdelimp++;
 
 			if ( suplen > sublen