diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c index a84a50be49..16f8530968 100644 --- a/libraries/libldap/getdn.c +++ b/libraries/libldap/getdn.c @@ -621,6 +621,7 @@ ldap_bv2dn( struct berval *bv, LDAPDN **dn, unsigned flags ) LDAPRDN *newRDN = NULL, *tmpDN_[TMP_RDN_SLOTS], **tmpDN = tmpDN_; int num_slots = TMP_RDN_SLOTS; char *str = bv->bv_val; + char *end = str + bv->bv_len; assert( bv ); assert( bv->bv_val ); @@ -679,7 +680,7 @@ ldap_bv2dn( struct berval *bv, LDAPDN **dn, unsigned flags ) #endif } - for ( ; p[ 0 ]; p++ ) { + for ( ; p < end; p++ ) { int err; struct berval tmpbv = { bv->bv_len - ( p - str ), (char *)p }; @@ -691,7 +692,7 @@ ldap_bv2dn( struct berval *bv, LDAPDN **dn, unsigned flags ) /* * We expect a rdn separator */ - if ( p[ 0 ] ) { + if ( p < end && p[ 0 ] ) { switch ( LDAP_DN_FORMAT( flags ) ) { case LDAP_DN_FORMAT_LDAPV3: if ( !LDAP_DN_RDN_SEP( p[ 0 ] ) ) { @@ -747,7 +748,7 @@ ldap_bv2dn( struct berval *bv, LDAPDN **dn, unsigned flags ) num_slots *= 2; } - if ( p[ 0 ] == '\0' ) { + if ( p >= end || p[ 0 ] == '\0' ) { /* * the DN is over, phew */ diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 58e6a55a5a..4e7a8e2cdf 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1348,22 +1348,18 @@ aci_match_set ( /* format of string is "entry/setAttrName" */ if (aci_get_part(subj, 0, '/', &subjdn) < 0) { return(0); - } else { - /* FIXME: If dnNormalize was based on ldap_bv2dn - * instead of ldap_str2dn and would honor the bv_len - * we could skip this step and not worry about the - * unterminated string. - */ - char *s = ch_malloc(subjdn.bv_len + 1); - AC_MEMCPY(s, subjdn.bv_val, subjdn.bv_len); - subjdn.bv_val = s; } if ( aci_get_part(subj, 1, '/', &setat) < 0 ) { setat.bv_val = SLAPD_ACI_SET_ATTR; setat.bv_len = sizeof(SLAPD_ACI_SET_ATTR)-1; } + if ( setat.bv_val != NULL ) { + /* + * NOTE: dnNormalize2 honors the ber_len field + * as the length of the dn to be normalized + */ if ( dnNormalize2(NULL, &subjdn, &ndn) == LDAP_SUCCESS && slap_bv2ad(&setat, &desc, &text) == LDAP_SUCCESS ) { @@ -1384,7 +1380,6 @@ aci_match_set ( if (ndn.bv_val) free(ndn.bv_val); } - ch_free(subjdn.bv_val); } if (set.bv_val != NULL) {