search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2019-3824 ldb: Add tests for ldb_wildcard_match
[Samba.git] / lib / ldb / common / ldb_pack.c
blob448c577ae1b9a69bf8489a9a701153f900a6df4f
1 /*
2 ldb database library
3
4 Copyright (C) Andrew Tridgell 2004
5
6 ** NOTE! The following LGPL license applies to the ldb
7 ** library. This does NOT imply that all of Samba is released
8 ** under the LGPL
9
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
14
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, see <http://www.gnu.org/licenses/>.
22 */
23
24 /*
25 * Name: ldb
26 *
27 * Component: ldb pack/unpack
28 *
29 * Description: pack/unpack routines for ldb messages as key/value blobs
30 *
31 * Author: Andrew Tridgell
32 */
33
34 #include "ldb_private.h"
35
36 /* change this if the data format ever changes */
37 #define LDB_PACKING_FORMAT 0x26011967
38
39 /* old packing formats */
40 #define LDB_PACKING_FORMAT_NODN 0x26011966
41
42 /* use a portable integer format */
43 static void put_uint32(uint8_t *p, int ofs, unsigned int val)
44 {
45 p += ofs;
46 p[0] = val&0xFF;
47 p[1] = (val>>8) & 0xFF;
48 p[2] = (val>>16) & 0xFF;
49 p[3] = (val>>24) & 0xFF;
50 }
51
52 static unsigned int pull_uint32(uint8_t *p, int ofs)
53 {
54 p += ofs;
55 return p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
56 }
57
58 static int attribute_storable_values(const struct ldb_message_element *el)
59 {
60 if (el->num_values == 0) return 0;
61
62 if (ldb_attr_cmp(el->name, "distinguishedName") == 0) return 0;
63
64 return el->num_values;
65 }
66
67 /*
68 pack a ldb message into a linear buffer in a ldb_val
69
70 note that this routine avoids saving elements with zero values,
71 as these are equivalent to having no element
72
73 caller frees the data buffer after use
74 */
75 int ldb_pack_data(struct ldb_context *ldb,
76 const struct ldb_message *message,
77 struct ldb_val *data)
78 {
79 unsigned int i, j, real_elements=0;
80 size_t size, dn_len, attr_len, value_len;
81 const char *dn;
82 uint8_t *p;
83 size_t len;
84
85 dn = ldb_dn_get_linearized(message->dn);
86 if (dn == NULL) {
87 errno = ENOMEM;
88 return -1;
89 }
90
91 /* work out how big it needs to be */
92 size = 8;
93
94 size += 1;
95
96 dn_len = strlen(dn);
97 if (size + dn_len < size) {
98 errno = ENOMEM;
99 return -1;
100 }
101 size += dn_len;
102
103 /*
104 * First calcuate the buffer size we need, and check for
105 * overflows
106 */
107 for (i=0;i<message->num_elements;i++) {
108 if (attribute_storable_values(&message->elements[i]) == 0) {
109 continue;
110 }
111
112 real_elements++;
113
114 if (size + 5 < size) {
115 errno = ENOMEM;
116 return -1;
117 }
118 size += 5;
119
120 attr_len = strlen(message->elements[i].name);
121 if (size + attr_len < size) {
122 errno = ENOMEM;
123 return -1;
124 }
125 size += attr_len;
126
127 for (j=0;j<message->elements[i].num_values;j++) {
128 if (size + 5 < size) {
129 errno = ENOMEM;
130 return -1;
131 }
132 size += 5;
133
134 value_len = message->elements[i].values[j].length;
135 if (size + value_len < size) {
136 errno = ENOMEM;
137 return -1;
138 }
139 size += value_len;
140 }
141 }
142
143 /* allocate it */
144 data->data = talloc_array(ldb, uint8_t, size);
145 if (!data->data) {
146 errno = ENOMEM;
147 return -1;
148 }
149 data->length = size;
150
151 p = data->data;
152 put_uint32(p, 0, LDB_PACKING_FORMAT);
153 put_uint32(p, 4, real_elements);
154 p += 8;
155
156 /* the dn needs to be packed so we can be case preserving
157 while hashing on a case folded dn */
158 len = dn_len;
159 memcpy(p, dn, len+1);
160 p += len + 1;
161
162 for (i=0;i<message->num_elements;i++) {
163 if (attribute_storable_values(&message->elements[i]) == 0) {
164 continue;
165 }
166 len = strlen(message->elements[i].name);
167 memcpy(p, message->elements[i].name, len+1);
168 p += len + 1;
169 put_uint32(p, 0, message->elements[i].num_values);
170 p += 4;
171 for (j=0;j<message->elements[i].num_values;j++) {
172 put_uint32(p, 0, message->elements[i].values[j].length);
173 memcpy(p+4, message->elements[i].values[j].data,
174 message->elements[i].values[j].length);
175 p[4+message->elements[i].values[j].length] = 0;
176 p += 4 + message->elements[i].values[j].length + 1;
177 }
178 }
179
180 return 0;
181 }
182
183 static bool ldb_consume_element_data(uint8_t **pp, size_t *premaining)
184 {
185 unsigned int remaining = *premaining;
186 uint8_t *p = *pp;
187 uint32_t num_values = pull_uint32(p, 0);
188 uint32_t j, len;
189
190 p += 4;
191 if (remaining < 4) {
192 return false;
193 }
194 remaining -= 4;
195 for (j = 0; j < num_values; j++) {
196 len = pull_uint32(p, 0);
197 if (remaining < 5) {
198 return false;
199 }
200 remaining -= 5;
201 if (len > remaining) {
202 return false;
203 }
204 remaining -= len;
205 p += len + 4 + 1;
206 }
207
208 *premaining = remaining;
209 *pp = p;
210 return true;
211 }
212
213
214 /*
215 * Unpack a ldb message from a linear buffer in ldb_val
216 *
217 * Providing a list of attributes to this function allows selective unpacking.
218 * Giving a NULL list (or a list_size of 0) unpacks all the attributes.
219 */
220 int ldb_unpack_data_only_attr_list_flags(struct ldb_context *ldb,
221 const struct ldb_val *data,
222 struct ldb_message *message,
223 const char * const *list,
224 unsigned int list_size,
225 unsigned int flags,
226 unsigned int *nb_elements_in_db)
227 {
228 uint8_t *p;
229 size_t remaining;
230 size_t dn_len;
231 unsigned int i, j;
232 unsigned format;
233 unsigned int nelem = 0;
234 size_t len;
235 unsigned int found = 0;
236 struct ldb_val *ldb_val_single_array = NULL;
237
238 if (list == NULL) {
239 list_size = 0;
240 }
241
242 message->elements = NULL;
243
244 p = data->data;
245 if (data->length < 8) {
246 errno = EIO;
247 goto failed;
248 }
249
250 format = pull_uint32(p, 0);
251 message->num_elements = pull_uint32(p, 4);
252 p += 8;
253 if (nb_elements_in_db) {
254 *nb_elements_in_db = message->num_elements;
255 }
256
257 remaining = data->length - 8;
258
259 switch (format) {
260 case LDB_PACKING_FORMAT_NODN:
261 message->dn = NULL;
262 break;
263
264 case LDB_PACKING_FORMAT:
265 /*
266 * With this check, we know that the DN at p is \0
267 * terminated.
268 */
269 dn_len = strnlen((char *)p, remaining);
270 if (dn_len == remaining) {
271 errno = EIO;
272 goto failed;
273 }
274 if (flags & LDB_UNPACK_DATA_FLAG_NO_DN) {
275 message->dn = NULL;
276 } else {
277 struct ldb_val blob;
278 blob.data = discard_const_p(uint8_t, p);
279 blob.length = dn_len;
280 message->dn = ldb_dn_from_ldb_val(message, ldb, &blob);
281 if (message->dn == NULL) {
282 errno = ENOMEM;
283 goto failed;
284 }
285 }
286 /*
287 * Redundant: by definition, remaining must be more
288 * than one less than dn_len, as otherwise it would be
289 * == dn_len
290 */
291 if (remaining < dn_len + 1) {
292 errno = EIO;
293 goto failed;
294 }
295 remaining -= dn_len + 1;
296 p += dn_len + 1;
297 break;
298
299 default:
300 errno = EIO;
301 goto failed;
302 }
303
304
305 if (flags & LDB_UNPACK_DATA_FLAG_NO_ATTRS) {
306 return 0;
307 }
308
309 if (message->num_elements == 0) {
310 return 0;
311 }
312
313 if (message->num_elements > remaining / 6) {
314 errno = EIO;
315 goto failed;
316 }
317
318 message->elements = talloc_zero_array(message, struct ldb_message_element,
319 message->num_elements);
320 if (!message->elements) {
321 errno = ENOMEM;
322 goto failed;
323 }
324
325 /*
326 * In typical use, most values are single-valued. This makes
327 * it quite expensive to allocate an array of ldb_val for each
328 * of these, just to then hold the pointer to the data buffer
329 * (in the LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC we don't
330 * allocate the data). So with
331 * LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC we allocate this ahead
332 * of time and use it for the single values where possible.
333 * (This is used the the normal search case, but not in the
334 * index case because of caller requirements).
335 */
336 if (flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) {
337 ldb_val_single_array = talloc_array(message->elements, struct ldb_val,
338 message->num_elements);
339 if (ldb_val_single_array == NULL) {
340 errno = ENOMEM;
341 goto failed;
342 }
343 }
344
345 for (i=0;i<message->num_elements;i++) {
346 const char *attr = NULL;
347 size_t attr_len;
348 struct ldb_message_element *element = NULL;
349
350 if (remaining < 10) {
351 errno = EIO;
352 goto failed;
353 }
354 /*
355 * With this check, we know that the attribute name at
356 * p is \0 terminated.
357 */
358 attr_len = strnlen((char *)p, remaining-6);
359 if (attr_len == remaining-6) {
360 errno = EIO;
361 goto failed;
362 }
363 if (attr_len == 0) {
364 errno = EIO;
365 goto failed;
366 }
367 attr = (char *)p;
368
369 /*
370 * The general idea is to reduce allocations by skipping over
371 * attributes that we do not actually care about.
372 *
373 * This is a bit expensive but normally the list is pretty small
374 * also the cost of freeing unused attributes is quite important
375 * and can dwarf the cost of looping.
376 */
377 if (list_size != 0) {
378 bool keep = false;
379 unsigned int h;
380
381 /*
382 * We know that p has a \0 terminator before the
383 * end of the buffer due to the check above.
384 */
385 for (h = 0; h < list_size && found < list_size; h++) {
386 if (ldb_attr_cmp(attr, list[h]) == 0) {
387 keep = true;
388 found++;
389 break;
390 }
391 }
392
393 if (!keep) {
394 if (remaining < (attr_len + 1)) {
395 errno = EIO;
396 goto failed;
397 }
398 remaining -= attr_len + 1;
399 p += attr_len + 1;
400 if (!ldb_consume_element_data(&p, &remaining)) {
401 errno = EIO;
402 goto failed;
403 }
404 continue;
405 }
406 }
407 element = &message->elements[nelem];
408 if (flags & LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC) {
409 element->name = attr;
410 } else {
411 element->name = talloc_memdup(message->elements, attr, attr_len+1);
412
413 if (element->name == NULL) {
414 errno = ENOMEM;
415 goto failed;
416 }
417 }
418 element->flags = 0;
419
420 if (remaining < (attr_len + 1)) {
421 errno = EIO;
422 goto failed;
423 }
424 remaining -= attr_len + 1;
425 p += attr_len + 1;
426 element->num_values = pull_uint32(p, 0);
427 element->values = NULL;
428 if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && element->num_values == 1) {
429 element->values = &ldb_val_single_array[nelem];
430 } else if (element->num_values != 0) {
431 element->values = talloc_array(message->elements,
432 struct ldb_val,
433 element->num_values);
434 if (!element->values) {
435 errno = ENOMEM;
436 goto failed;
437 }
438 }
439 p += 4;
440 if (remaining < 4) {
441 errno = EIO;
442 goto failed;
443 }
444 remaining -= 4;
445 for (j = 0; j < element->num_values; j++) {
446 if (remaining < 5) {
447 errno = EIO;
448 goto failed;
449 }
450 remaining -= 5;
451
452 len = pull_uint32(p, 0);
453 if (remaining < len) {
454 errno = EIO;
455 goto failed;
456 }
457 if (len + 1 < len) {
458 errno = EIO;
459 goto failed;
460 }
461
462 element->values[j].length = len;
463 if (flags & LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC) {
464 element->values[j].data = p + 4;
465 } else {
466 element->values[j].data = talloc_size(element->values, len+1);
467 if (element->values[j].data == NULL) {
468 errno = ENOMEM;
469 goto failed;
470 }
471 memcpy(element->values[j].data, p + 4,
472 len);
473 element->values[j].data[len] = 0;
474 }
475 remaining -= len;
476 p += len+4+1;
477 }
478 nelem++;
479 }
480 /*
481 * Adapt the number of elements to the real number of unpacked elements,
482 * it means that we overallocated elements array.
483 */
484 message->num_elements = nelem;
485
486 /*
487 * Shrink the allocated size. On current talloc behaviour
488 * this will help if we skipped 32 or more attributes.
489 */
490 message->elements = talloc_realloc(message, message->elements,
491 struct ldb_message_element,
492 message->num_elements);
493
494 if (remaining != 0) {
495 ldb_debug(ldb, LDB_DEBUG_ERROR,
496 "Error: %zu bytes unread in ldb_unpack_data_only_attr_list",
497 remaining);
498 }
499
500 return 0;
501
502 failed:
503 talloc_free(message->elements);
504 return -1;
505 }
506
507 /*
508 * Unpack a ldb message from a linear buffer in ldb_val
509 *
510 * Providing a list of attributes to this function allows selective unpacking.
511 * Giving a NULL list (or a list_size of 0) unpacks all the attributes.
512 *
513 * Free with ldb_unpack_data_free()
514 */
515 int ldb_unpack_data_only_attr_list(struct ldb_context *ldb,
516 const struct ldb_val *data,
517 struct ldb_message *message,
518 const char * const *list,
519 unsigned int list_size,
520 unsigned int *nb_elements_in_db)
521 {
522 return ldb_unpack_data_only_attr_list_flags(ldb,
523 data,
524 message,
525 list,
526 list_size,
527 0,
528 nb_elements_in_db);
529 }
530
531 int ldb_unpack_data(struct ldb_context *ldb,
532 const struct ldb_val *data,
533 struct ldb_message *message)
534 {
535 return ldb_unpack_data_only_attr_list(ldb, data, message, NULL, 0, NULL);
536 }
Samba GIT mirror