From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 18 Feb 2019 21:26:56 +0000 (+1300)
Subject: CVE-2019-3824 ldb: wildcard_match end of data check
X-Git-Tag: ldb-1.2.4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ddaf853404f3cddef84b77b38951526d73ffbda;p=thirdparty%2Fsamba.git

CVE-2019-3824 ldb: wildcard_match end of data check

ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0'
to the data, to make them safe to use the C string functions on.

However testing for the trailing '\0' is not the correct way to test for
the end of a value, the length should be checked instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 5326b009077..af61de52e27 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	}
 
 	/* last chunk may not have reached end of string */
-	if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch;
+	if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch;
 	talloc_free(save_p);
 	*matched = true;
 	return LDB_SUCCESS;