Protect from sprintf buffer overrun in ldapsearch -f file "(cn=%100000s)"

2025-04-18 15:20:35 +08:00 · 2006-04-05 20:48:15 +00:00 · 2006-04-05 20:48:15 +00:00 · 02cba98c0b
commit 02cba98c0b
parent b70d6dd8e6
1 changed files with 7 additions and 2 deletions
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@ -1049,13 +1049,18 @@ static int dosearch(
 	int			cancel_msgid = -1;

 	if( filtpatt != NULL ) {
-		filter = malloc( strlen( filtpatt ) + strlen( value ) );
+		size_t max_fsize = strlen( filtpatt ) + strlen( value ) + 1;
+		filter = malloc( max_fsize );
 		if( filter == NULL ) {
 			perror( "malloc" );
 			return EXIT_FAILURE;
 		}

-		sprintf( filter, filtpatt, value );
+		if( snprintf( filter, max_fsize, filtpatt, value ) >= max_fsize ) {
+			fprintf( stderr, "Bad filter pattern: \"%s\"\n", filtpatt );
+			free( filter );
+			return EXIT_FAILURE;
+		}

 		if ( verbose ) {
 			fprintf( stderr, _("filter: %s\n"), filter );