From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 8 Dec 2020 08:32:09 +0000 (+1300)
Subject: CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
X-Git-Tag: tevent-0.11.0~1400
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709;p=thirdparty%2Fsamba.git

CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds

For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index 11921ca429c..81a74584bcb 100644
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
 	
 	/* remove leading spaces if any */
 	if (*s == ' ') {
-		for (t = s; *s == ' '; s++) ;
+		for (t = s; *s == ' '; s++, l--) ;
 
 		/* remove leading spaces by moving down the string */
 		memmove(t, s, l);