add some sanity checks...

servers/slapd/modify.c

@@ -220,7 +220,7 @@ fe_op_modify( Operation *op, SlapReply *rs )
 	char		textbuf[ SLAP_TEXT_BUFLEN ];
 	size_t		textlen = sizeof( textbuf );
 	
-	if( op->o_req_ndn.bv_len == 0 ) {
+	if( BER_BVISEMPTY( &op->o_req_ndn ) ) {
 		Debug( LDAP_DEBUG_ANY, "do_modify: root dse!\n", 0, 0, 0 );
 
 		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -650,7 +650,7 @@ int slap_mods_check(
 			 * check that each value is valid per syntax
 			 *	and pretty if appropriate
 			 */
-			for ( nvals = 0; ml->sml_values[nvals].bv_val; nvals++ ) {
+			for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
 				struct berval pval;
 
 				if ( pretty ) {
@@ -713,7 +713,7 @@ int slap_mods_check(
 				ml->sml_nvalues = ber_memalloc_x(
 					(nvals+1)*sizeof(struct berval), ctx );
 
-				for ( nvals = 0; ml->sml_values[nvals].bv_val; nvals++ ) {
+				for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
 #ifdef SLAP_ORDERED_PRETTYNORM
 					rc = ordered_value_normalize(
 						SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
@@ -830,7 +830,7 @@ void slap_mods_opattrs(
 			csn = op->o_csn;
 		}
 		ptr = strchr( csn.bv_val, '#' );
-		if ( ptr ) {
+		if ( ptr && ptr < &csn.bv_val[csn.bv_len] ) {
 			timestamp.bv_len = ptr - csn.bv_val;
 			if ( timestamp.bv_len >= sizeof( timebuf ))
 				timestamp.bv_len = sizeof( timebuf ) - 1;

servers/slapd/value.c

@@ -424,7 +424,7 @@ ordered_value_validate(
 			char	*ptr;
 
 			ptr = strchr( bv.bv_val, '}' );
-			if ( ptr == NULL ) {
+			if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
 				return LDAP_INVALID_SYNTAX;
 			}
 			ptr++;
@@ -466,7 +466,7 @@ ordered_value_pretty(
 			char	*ptr;
 
 			ptr = strchr( bv.bv_val, '}' );
-			if ( ptr == NULL ) {
+			if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
 				return LDAP_INVALID_SYNTAX;
 			}
 			ptr++;
@@ -525,11 +525,11 @@ ordered_value_normalize(
 	if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED ) {
 
 		/* Skip past the assertion index */
-		if ( bv.bv_val[0] == '{' ) {
+		if ( bv.bv_val[ 0 ] == '{' ) {
 			char	*ptr;
 
 			ptr = strchr( bv.bv_val, '}' );
-			if ( ptr == NULL ) {
+			if ( ptr == NULL || ptr > &bv.bv_val[ bv.bv_len ] ) {
 				return LDAP_INVALID_SYNTAX;
 			}
 			ptr++;
@@ -600,7 +600,11 @@ ordered_value_match(
 
 		/* Skip past the assertion index */
 		if ( bv2.bv_val[0] == '{' ) {
-			ptr = strchr( bv2.bv_val, '}' ) + 1;
+			ptr = strchr( bv2.bv_val, '}' );
+			if ( ptr == NULL || ptr > &bv2.bv_val[ bv2.bv_len ] ) {
+				return LDAP_INVALID_SYNTAX;
+			}
+			ptr++;
 			bv2.bv_len -= ptr - bv2.bv_val;
 			bv2.bv_val = ptr;
 			v2 = &bv2;
@@ -627,7 +631,11 @@ ordered_value_match(
 		}
 		/* Skip past the attribute index */
 		if ( bv1.bv_val[0] == '{' ) {
-			ptr = strchr( bv1.bv_val, '}' ) + 1;
+			ptr = strchr( bv1.bv_val, '}' );
+			if ( ptr == NULL || ptr > &bv1.bv_val[ bv1.bv_len ] ) {
+				return LDAP_INVALID_SYNTAX;
+			}
+			ptr++;
 			bv1.bv_len -= ptr - bv1.bv_val;
 			bv1.bv_val = ptr;
 			v1 = &bv1;
@@ -684,9 +692,17 @@ ordered_value_add(
 	}
 
 	for (i=0; i<vnum; i++) {
+		char	*next;
+
 		k = -1;
 		if ( vals[i].bv_val[0] == '{' ) {
-			k = strtol( vals[i].bv_val+1, NULL, 0 );
+			k = strtol( vals[i].bv_val+1, &next, 0 );
+			if ( next == vals[i].bv_val + 1 ||
+				next[ 0 ] != '}' ||
+				next - vals[i].bv_val > vals[i].bv_len )
+			{
+				return -1;
+			}
 			if ( k > anum ) k = -1;
 		}
 		/* No index, or index is greater than current number of