| From 1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709 Mon Sep 17 00:00:00 2001 |
| From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> |
| Date: Tue, 8 Dec 2020 21:32:09 +1300 |
| Subject: [PATCH] CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds |
| |
| For a string that had N spaces at the beginning, we would |
| try to move N bytes beyond the end of the string. |
| |
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 |
| |
| Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> |
| Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
| --- |
| common/attrib_handlers.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/common/attrib_handlers.c b/common/attrib_handlers.c |
| index 11921ca429c..81a74584bcb 100644 |
| --- a/common/attrib_handlers.c |
| +++ b/common/attrib_handlers.c |
| @@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, |
| |
| /* remove leading spaces if any */ |
| if (*s == ' ') { |
| - for (t = s; *s == ' '; s++) ; |
| + for (t = s; *s == ' '; s++, l--) ; |
| |
| /* remove leading spaces by moving down the string */ |
| memmove(t, s, l); |
| -- |
| 2.25.1 |
| |