ldb: Be strict about talloc_memdup() and passed in buffers in ldb_dn_set_component()

This ensures we do not over-read the source buffer, but still NUL terminate.

This may be related to debuain bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808769

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index dfd3b5844cf04dedd7555017ec158c2ab7f0f1b5..1e83f5a6a8132c197f2a3b5b4d684a19bbcc9652 100644 (file)
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -1907,11 +1907,23 @@ int ldb_dn_set_component(struct ldb_dn *dn, int num,
        }
 
        v.length = val.length;
-       v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1);
+
+       /*
+        * This is like talloc_memdup(dn, v.data, v.length + 1), but
+        * avoids the over-read
+        */
+       v.data = (uint8_t *)talloc_size(dn, v.length+1);
        if ( ! v.data) {
                talloc_free(n);
                return LDB_ERR_OTHER;
        }
+       memcpy(v.data, val.data, val.length);
+
+       /*
+        * Enforce NUL termination outside the stated length, as is
+        * traditional in LDB
+        */
+       v.data[v.length] = '\0';
 
        talloc_free(dn->components[num].name);
        talloc_free(dn->components[num].value.data);