CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 7918aec65f166378a232e9da4513f1dd19928ff5..8bdb0e19b16e1b3a7e02166d6aa4da974e0fe04d 100644 (file)
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -270,6 +270,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
                if (cnk.length > val.length) {
                        goto mismatch;
                }
+               /*
+                * Empty strings are returned as length 0. Ensure
+                * we can cope with this.
+                */
+               if (cnk.length == 0) {
+                       goto mismatch;
+               }
+
                if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
                val.length -= cnk.length;
                val.data += cnk.length;
@@ -283,7 +291,13 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
                chunk = tree->u.substring.chunks[c];
                if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
 
-               /* FIXME: case of embedded nulls */
+               /*
+                * Empty strings are returned as length 0. Ensure
+                * we can cope with this.
+                */
+               if (cnk.length == 0) {
+                       goto mismatch;
+               }
                p = strstr((char *)val.data, (char *)cnk.data);
                if (p == NULL) goto mismatch;
                if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {