diff --git a/Makefile b/Makefile index 68008c4..a2a89ec 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ CC=$(CROSS)gcc CFLAGS=-pipe -I. -Wall -W -Wextra ifneq ($(DEBUG),) DIET=/opt/diet/bin/diet -CFLAGS=-pipe -I. -Wall -W -g -fstack-protector +CFLAGS=-pipe -I. -Wall -W -Wextra -g -fstack-protector endif ifeq ($(COVERAGE),1) DIET= @@ -111,6 +111,7 @@ clean: rm -f t t[1-9] *.[ao] bindrequest tinyldap ldapclient \ parse tinyldap_standalone tinyldap_debug ldapclient_str addindex \ dumpidx idx2ldif md5password ldapdelete dumpacls asn1dump acl \ +mysql2ldif x \ *.da *.bbg *.bb *.gcov gmon.out *.gcda *.gcno test/bind bind/ebind tar: clean diff --git a/THANKS b/THANKS index e9a2e7f..6966cae 100644 --- a/THANKS +++ b/THANKS @@ -16,3 +16,5 @@ I'd be astounded if someone found a way to exploit it, though. Andreas also ran tinyldap in afl and found two double frees. At least one of them looks like it might be exploitable if you are not using dietlibc. + +Georg Lehner found problems in the indexing code. diff --git a/fmt_ldapbindrequest.c b/fmt_ldapbindrequest.c index 88c2243..9f8be99 100644 --- a/fmt_ldapbindrequest.c +++ b/fmt_ldapbindrequest.c @@ -9,10 +9,12 @@ size_t fmt_ldapbindrequest(char* dest,long version,const char* name,const char* sum=l=fmt_asn1INTEGER(dest,version); if (dest) dest+=l; l=fmt_asn1OCTETSTRING(dest,name,nlen); - if (add_of(sum,sum,l)) return (size_t)-1; if (dest) dest+=l; + if (add_of(sum,sum,l)) return (size_t)-1; + if (dest) dest+=l; // sum+=l; if (dest) dest+=l; nlen=str_len(simple); l=fmt_asn1string(dest,PRIVATE,PRIMITIVE,0,simple,nlen); - if (add_of(sum,sum,l)) return (size_t)-1; if (dest) dest+=l; + if (add_of(sum,sum,l)) return (size_t)-1; + if (dest) dest+=l; return sum; } diff --git a/fmt_ldapsearchfilter.c b/fmt_ldapsearchfilter.c index bbd2c55..ceb3746 100644 --- a/fmt_ldapsearchfilter.c +++ b/fmt_ldapsearchfilter.c @@ -20,7 +20,8 @@ size_t fmt_ldapsubstring(char* dest,const struct Substring* s) { size_t sum=0,tmp=0; while (s) { tmp=fmt_asn1string(dest,PRIVATE,PRIMITIVE,s->substrtype,s->s.s,s->s.l); - if (dest) dest+=tmp; sum+=tmp; + if (dest) dest+=tmp; + sum+=tmp; s=s->next; } return sum; diff --git a/mysql2ldif.c b/mysql2ldif.c index 670e3be..cd77e51 100644 --- a/mysql2ldif.c +++ b/mysql2ldif.c @@ -26,7 +26,7 @@ int main() { static array fn; /* field names */ static char* table; int mode=0; - int pkey; + int pkey=-1; while (buffer_getnewline_sa(buffer_0,&sa)==1) { ++line; @@ -132,7 +132,7 @@ int main() { parseerror("expected NULL, 'string' or 1234"); ++n; } - if (!c[pkey]) { + if (pkey==-1 || !c[pkey]) { parseerror("primary key empty"); } buffer_putm(buffer_1,"dn: ",c[pkey],"\nobjectClass: mysql2ldif\n"); diff --git a/parse.c b/parse.c index 4a564ac..7e26e52 100644 --- a/parse.c +++ b/parse.c @@ -110,20 +110,23 @@ int ldif_callback(struct ldaprec* l) { uint32_pack(x+4,0); // ofs=recofs; - if (buffer_put(&rbuf,x,8)) return -1; recofs+=8; + if (buffer_put(&rbuf,x,8)) return -1; + recofs+=8; // if ((ofs=mstorage_add(&records,x,8))==(uint32)-1) return -1; uint32_pack(x,l->dn); uint32_pack(x+4,oc); - if (buffer_put(&rbuf,x,8)) return -1; recofs+=8; + if (buffer_put(&rbuf,x,8)) return -1; + recofs+=8; // if (mstorage_add(&records,x,8)==-1) return -1; for (i=0; in; ++i) { if (l->a[i].name==objectClass && l->a[i].value==(uint32)-1) continue; uint32_pack(x,l->a[i].name); uint32_pack(x+4,l->a[i].value); - if (buffer_put(&rbuf,x,8)) return -1; recofs+=8; + if (buffer_put(&rbuf,x,8)) return -1; + recofs+=8; // if (mstorage_add(&records,x,8)==-1) return -1; } // uint32_pack(x,ofs); diff --git a/scan_asn1rawoid.c b/scan_asn1rawoid.c index 814009d..d23e93a 100644 --- a/scan_asn1rawoid.c +++ b/scan_asn1rawoid.c @@ -18,8 +18,8 @@ size_t scan_asn1rawoid(const char* src,const char* max,size_t* array,size_t* arr b+=(a-2)*40; a=2; } - if (array && cur2) goto error; last->operation=etmp; res+=tmp; + if (etmp>2) goto error; + last->operation=etmp; res+=tmp; { size_t iislen; /* urgh, _three_ levels of indirection */ const char* imax; diff --git a/scan_ldapsearchrequest.c b/scan_ldapsearchrequest.c index 6e5dfa4..26a6646 100644 --- a/scan_ldapsearchrequest.c +++ b/scan_ldapsearchrequest.c @@ -11,9 +11,11 @@ size_t scan_ldapsearchrequest(const char* src,const char* max, s->filter=0; if (!(res=scan_ldapstring(src,max,&s->baseObject))) goto error; if (!(tmp=scan_asn1ENUMERATED(src+res,max,&etmp))) goto error; - if (etmp>2) goto error; s->scope=etmp; res+=tmp; + if (etmp>2) goto error; + s->scope=etmp; res+=tmp; if (!(tmp=scan_asn1ENUMERATED(src+res,max,&etmp))) goto error; - if (etmp>3) goto error; s->derefAliases=etmp; res+=tmp; + if (etmp>3) goto error; + s->derefAliases=etmp; res+=tmp; if (!(tmp=scan_asn1INTEGER(src+res,max,<mp)) || ltmp<0) goto error; s->sizeLimit=(unsigned long)ltmp; res+=tmp; diff --git a/t2.c b/t2.c index 79062fd..925cf07 100644 --- a/t2.c +++ b/t2.c @@ -46,7 +46,8 @@ mergesub: int first=1; printf("%.*s has ",(int)f->ava.desc.l,f->ava.desc.s); while (s) { - if (!first) printf(" and "); first=0; + if (!first) printf(" and "); + first=0; switch(s->substrtype) { case prefix: printf("prefix \""); break; case any: printf("substr \""); break; diff --git a/tinyldap.c b/tinyldap.c index 38d8c3d..99834ca 100644 --- a/tinyldap.c +++ b/tinyldap.c @@ -573,6 +573,16 @@ static inline void fillset(struct bitfield* b) { for (i=0; ibits[i]=(unsigned long)-1; } +static inline void invertset(struct bitfield* b) { + size_t i; + b->first=0; +#ifdef RANGECHECK + b->n= +#endif + b->last=record_count; + for (i=0; ibits[i] = ~b->bits[i]; +} + /* basic bit-set support: set one bit to 1 */ static inline void setbit(struct bitfield* b,size_t bit) { #ifdef RANGECHECK @@ -645,7 +655,7 @@ static void tagmatches(uint32* index,size_t elements,struct string* s, /* there may be multiple matches. * Look before and after mid, too */ if (mid) /* thx Andreas Stührk */ - for (k=mid-1; k>0; --k) { + for (k=mid-1; k!=(uint32_t)-1; --k) { m=uint32_read((char*)(&index[k])); if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) { if (index_type==0) @@ -819,11 +829,16 @@ static int useindex(struct Filter* f,struct bitfield* b) { } return ok; } -#if 0 - /* doesn't make much sense to try to speed up negated queries */ case NOT: - return indexable(y); -#endif + { + if (y) { + emptyset(b); + useindex(y,b); + invertset(b); + } else + emptyset(b); + return 1; + } case SUBSTRING: if (f->substrings->substrtype!=prefix) return 0; { diff --git a/tls_doread.c b/tls_doread.c index a5d4781..b30b3c6 100644 --- a/tls_doread.c +++ b/tls_doread.c @@ -3,6 +3,7 @@ #include #include #include +#include tls_error_code tls_doread(uintptr_t fd,struct ssl_context* sc) { size_t l; diff --git a/x.c b/x.c index 3f99a71..00975e9 100644 --- a/x.c +++ b/x.c @@ -30,8 +30,6 @@ char pkt[]= "\x00\x01\x01\x15\x03\x03\x00\x02\x02\x30"; int main() { - char buf[200]; - size_t l; struct ssl_context sc; int fd; @@ -43,6 +41,8 @@ int main() { diesys(1,"connect"); #if 0 + size_t l; + char buf[200]; init_tls_context_norandom(&sc,NULL); printf("%zu\n",fmt_tls_serverhello(NULL,pkt,sizeof(pkt),&sc)); init_tls_context_norandom(&sc,"blog.fefe.de");