CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()

ldb_dn_escape_internal() reports the number of bytes it copied, so
lets use that number, rather than using strlen() and hoping a zero got
in the right place.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 1b8e51e499059d35d4f57de0163bde1e6d747c04..a3b8f921b490a206317ef278a932fee57c685603 100644 (file)
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
 char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 {
        char *dst;
-
+       size_t len;
        if (!value.length)
                return NULL;
 
@@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
                return NULL;
        }
 
-       ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
-       dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
+       len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
 
+       dst = talloc_realloc(mem_ctx, dst, char, len + 1);
+       if ( ! dst) {
+               talloc_free(dst);
+               return NULL;
+       }
+       dst[len] = '\0';
        return dst;
 }