util/rfc1738_unescape(): return end pointer or NULL on error

At present we don't detect errors, but when we do we'll return NULL. Signed-off-by: Douglas Bagnall <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
17500mph · Feb 22, 2018 · a4c853a · a4c853a
1 parent 6ef6ddc
commit a4c853a
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 12 deletions.
diff --git a/lib/util/rfc1738.c b/lib/util/rfc1738.c
@@ -193,8 +193,8 @@ rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url)
  *  rfc1738_unescape() - Converts escaped characters (%xy numbers) in
  *  given the string.  %% is a %. %ab is the 8-bit hexadecimal number "ab"
  */
-_PUBLIC_ void
-rfc1738_unescape(char *s)
+
+_PUBLIC_ char *rfc1738_unescape(char *s)
 {
     char hexnum[3];
     int i, j;			/* i is write, j is read */
@@ -222,4 +222,5 @@ rfc1738_unescape(char *s)
         }
     }
     s[i] = '\0';
+	return s + i;
 }
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
@@ -225,7 +225,7 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_
 /**
  Unescape a URL encoded string, in place.
 **/
-_PUBLIC_ void rfc1738_unescape(char *buf);
+_PUBLIC_ char *rfc1738_unescape(char *buf);
 
 
 /**

diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
@@ -698,12 +698,16 @@ static char *
 uri_unescape_alloc(const char *uritok)
 {
 	char *ret;
-
+	char *end;
 	ret = (char *) SMB_STRDUP(uritok);
 	if (!ret) {
 		return NULL;
 	}
 
-	rfc1738_unescape(ret);
+	end = rfc1738_unescape(ret);
+	if (end == NULL) {
+		free(ret);
+		return NULL;
+	}
 	return ret;
 }
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
@@ -1260,7 +1260,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
 				   struct ntlm_auth_state *state,
 					char *buf, int length, void **private2)
 {
-	char *user, *pass;	
+	char *user, *pass;
 	user=buf;
 
 	pass=(char *)memchr(buf,' ',length);
@@ -1273,8 +1273,20 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
 	pass++;
 
 	if (state->helper_mode == SQUID_2_5_BASIC) {
-		rfc1738_unescape(user);
-		rfc1738_unescape(pass);
+		char *end = rfc1738_unescape(user);
+		if (end == NULL || (end - user) != strlen(user)) {
+			DEBUG(2, ("Badly rfc1738 encoded username: %s; "
+				  "denying access\n", user));
+			printf("ERR\n");
+			return;
+		}
+		end = rfc1738_unescape(pass);
+		if (end == NULL || (end - pass) != strlen(pass)) {
+			DEBUG(2, ("Badly encoded password for %s; "
+				  "denying access\n", user));
+			printf("ERR\n");
+			return;
+		}
 	}
 
 	if (check_plaintext_auth(user, pass, False)) {

diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
@@ -412,7 +412,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
 	if (strequal(protocol, "ldapi")) {
 		struct socket_address *unix_addr;
 		char path[1025];
-
+		char *end = NULL;
 		NTSTATUS status = socket_create("unix", SOCKET_TYPE_STREAM, &state->sock, 0);
 		if (!NT_STATUS_IS_OK(status)) {
 			return NULL;
@@ -439,15 +439,18 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
 			return result;
 		}
 
-		rfc1738_unescape(path);
-
+		end = rfc1738_unescape(path);
+		if (end == NULL) {
+			composite_error(state->ctx,
+					NT_STATUS_INVALID_PARAMETER);
+			return result;
+		}	
 		unix_addr = socket_address_from_strings(state, state->sock->backend_name,
 							path, 0);
 		if (composite_nomem(unix_addr, result)) {
 			return result;
 		}
 
-
 		ctx = socket_connect_send(state->sock, NULL, unix_addr,
 					  0, result->event_ctx);
 		ctx->async.fn = ldap_connect_recv_unix_conn;
-Original file line number
+Diff line change
@@ Expand Up @@
     /**
      Unescape a URL encoded string, in place.
     **/
-    _PUBLIC_ void rfc1738_unescape(char *buf);
+    _PUBLIC_ char *rfc1738_unescape(char *buf);
     /**
@@ Expand Down @@