On 2024/01/27 18:33:35 +0100, Philipp <[email protected]> wrote:
> A I forgott the patch.
>
> [2024-01-27 12:11] Philipp <[email protected]>
> > I have noticed that the table-ldap uses printf() to replace the '%s' of
> > the filter with the search key. This has some problems. The biggest one
> > is you can use the key only once in the filter. So a filter like:
> >
> > > (|(mail=%s)(uid=%s))
> >
> > doesn't work.
> >
> > To fix this I have moved the replacement to the parsval function of aldap.
> >
> > Philipp
Thanks for this. Reads fine to me, one nit below
> --- a/extras/tables/table-ldap/aldap.c
> +++ b/extras/tables/table-ldap/aldap.c
> [...]
> @@ -1243,12 +1243,41 @@ parseval(char *p, size_t len)
> (void)strlcpy(hex, cp + j + 1, sizeof(hex));
> buffer[i] = (char)strtoumax(hex, NULL, 16);
> j += 3;
> + } else if (cp[j] == '%') {
> + switch (cp[j + 1]) {
> + case '%':
> + buffer[i] = '%';
> + j += 2;
> + break;
> + case 's':
> + if (!key) {
> + free(buffer);
> + return NULL;
> + }
> + keylen = strlen(key);
> + newsize = size + keylen;
> + if ((newbuffer = realloc(buffer, newsize)) ==
> NULL) {
> + free(buffer);
> + return NULL;
> + }
> + buffer = newbuffer;
> + size = newsize;
> + memcpy(buffer + i, key, keylen);
> + i += keylen - 1;
Here we can underflow when keylen is zero. Probably it's not such a big
deal since all these vars are unsigned and we're going to increment x
again at the next loop iteration (which is always executed), rewrapping
again, but it's not nice :/
(also, I'm not sure we can reach the case of a key with length zero, but
since we care to NULL check, we should handle "" as a key too IMHO.)
