util/rfc1738_unescape(): return end pointer or NULL on error

At present we don't detect errors, but when we do we'll return NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/util/rfc1738.c b/lib/util/rfc1738.c
index b285ae97e0010ee78c3d8bf513a57881c570ef8f..5474ea8a4f943052c1940b6b74a46bac88bd8cfc 100644 (file)
--- a/lib/util/rfc1738.c
+++ b/lib/util/rfc1738.c
@@ -193,8 +193,8 @@ rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url)
  *  rfc1738_unescape() - Converts escaped characters (%xy numbers) in
  *  given the string.  %% is a %. %ab is the 8-bit hexadecimal number "ab"
  */
-_PUBLIC_ void
-rfc1738_unescape(char *s)
+
+_PUBLIC_ char *rfc1738_unescape(char *s)
 {
     char hexnum[3];
     int i, j;                  /* i is write, j is read */
@@ -222,4 +222,5 @@ rfc1738_unescape(char *s)
         }
     }
     s[i] = '\0';
+       return s + i;
 }

diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 3daf3dfdfd09c2bfed9428f2bcc4e0d889117a80..f6b3e23abc3884000cb8e9285450157df2183c60 100644 (file)
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -225,7 +225,7 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_
 /**
  Unescape a URL encoded string, in place.
 **/
-_PUBLIC_ void rfc1738_unescape(char *buf);
+_PUBLIC_ char *rfc1738_unescape(char *buf);
 
 
 /**

diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 152492eadf16860e7bf90ce31c86fcb24f1bb140..3660319b5b1034df5f386aa877d320ea7258abfa 100644 (file)
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -698,12 +698,16 @@ static char *
 uri_unescape_alloc(const char *uritok)
 {
        char *ret;
-
+       char *end;
        ret = (char *) SMB_STRDUP(uritok);
        if (!ret) {
                return NULL;
        }
 
-       rfc1738_unescape(ret);
+       end = rfc1738_unescape(ret);
+       if (end == NULL) {
+               free(ret);
+               return NULL;
+       }
        return ret;
 }

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24a01903ec7f596f593664388a357d6..78bafe12efa24155ff14be10fbe739506ee2c86a 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1260,7 +1260,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
                                   struct ntlm_auth_state *state,
                                        char *buf, int length, void **private2)
 {
-       char *user, *pass;      
+       char *user, *pass;
        user=buf;
 
        pass=(char *)memchr(buf,' ',length);
@@ -1273,8 +1273,20 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
        pass++;
 
        if (state->helper_mode == SQUID_2_5_BASIC) {
-               rfc1738_unescape(user);
-               rfc1738_unescape(pass);
+               char *end = rfc1738_unescape(user);
+               if (end == NULL || (end - user) != strlen(user)) {
+                       DEBUG(2, ("Badly rfc1738 encoded username: %s; "
+                                 "denying access\n", user));
+                       printf("ERR\n");
+                       return;
+               }
+               end = rfc1738_unescape(pass);
+               if (end == NULL || (end - pass) != strlen(pass)) {
+                       DEBUG(2, ("Badly encoded password for %s; "
+                                 "denying access\n", user));
+                       printf("ERR\n");
+                       return;
+               }
        }
 
        if (check_plaintext_auth(user, pass, False)) {

diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 40d508cb01c0cec6877558edaa639cf02df8f364..b5f5da6fa00f252cdaf030d5130568f9902f4781 100644 (file)
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -412,7 +412,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
        if (strequal(protocol, "ldapi")) {
                struct socket_address *unix_addr;
                char path[1025];
-       
+               char *end = NULL;
                NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &state->sock, 0);
                if (!NT_STATUS_IS_OK(status)) {
                        return NULL;
@@ -439,15 +439,18 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
                        return result;
                }
 
-               rfc1738_unescape(path);
-
+               end = rfc1738_unescape(path);
+               if (end == NULL) {
+                       composite_error(state->ctx,
+                                       NT_STATUS_INVALID_PARAMETER);
+                       return result;
+               }       
                unix_addr = socket_address_from_strings(state, state->sock->backend_name,
                                                        path, 0);
                if (composite_nomem(unix_addr, result)) {
                        return result;
                }
 
-
                ctx = socket_connect_send(state->sock, NULL, unix_addr,
                                          0, result->event_ctx);
                ctx->async.fn = ldap_connect_recv_unix_conn;