ITS#4467: Fix snprintf buffer overflow test for olcDbQuarantine output.

Overrides previous patch which partly fixed it: it was a no-op test before.
2025-02-05 13:40:08 +08:00 · 2008-10-18 23:49:28 +00:00 · 2008-10-18 23:49:28 +00:00 · 7cd654253e
commit 7cd654253e
parent db2172c5c9
1 changed files with 11 additions and 13 deletions
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@ -510,53 +510,51 @@ slap_retry_info_unparse(
 	slap_retry_info_t	*ri,
 	struct berval		*bvout )
 {
-	int		i;
 	char		buf[ BUFSIZ * 2 ],
 			*ptr = buf;
-	struct berval	bv = BER_BVNULL;
+	int		i, len, restlen = (int) sizeof( buf );
+	struct berval	bv;

 	assert( ri != NULL );
 	assert( bvout != NULL );

 	BER_BVZERO( bvout );

-#define WHATSLEFT	( &buf[ sizeof( buf ) ] - ptr )
-
 	for ( i = 0; ri->ri_num[ i ] != SLAP_RETRYNUM_TAIL; i++ ) {
 		if ( i > 0 ) {
-			if ( WHATSLEFT <= 1 ) {
+			if ( --restlen <= 0 ) {
 				return 1;
 			}
 			*ptr++ = ';';
 		}

-		if ( lutil_unparse_time( ptr, WHATSLEFT, (long)ri->ri_interval[i] ) ) {
+		if ( lutil_unparse_time( ptr, restlen, ri->ri_interval[i] ) < 0 ) {
 			return 1;
 		}
-		ptr += strlen( ptr );
-
-		if ( WHATSLEFT <= 1 ) {
+		len = (int) strlen( ptr );
+		if ( (restlen -= len + 1) <= 0 ) {
 			return 1;
 		}
+		ptr += len;
 		*ptr++ = ',';

 		if ( ri->ri_num[i] == SLAP_RETRYNUM_FOREVER ) {
-			if ( WHATSLEFT <= 1 ) {
+			if ( --restlen <= 0 ) {
 				return 1;
 			}
 			*ptr++ = '+';

 		} else {
-			ptr += snprintf( ptr, WHATSLEFT, "%d", ri->ri_num[i] );
-			if ( WHATSLEFT <= 0 ) {
+			len = snprintf( ptr, restlen, "%d", ri->ri_num[i] );
+			if ( (restlen -= len) <= 0 || len < 0 ) {
 				return 1;
 			}
+			ptr += len;
 		}
 	}

 	bv.bv_val = buf;
 	bv.bv_len = ptr - buf;
-
 	ber_dupbv( bvout, &bv );

 	return 0;