[Fedora-directory-commits] adminutil/lib/libadminutil admutil.c, 1.2, 1.3 errRpt.c, 1.1.1.1, 1.2 form_post.c, 1.1.1.1, 1.2 uginfo.c, 1.1.1.1, 1.2
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Wed Mar 22 23:47:22 UTC 2006
Author: rmeggins
Update of /cvs/dirsec/adminutil/lib/libadminutil
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11998/adminutil/lib/libadminutil
Modified Files:
admutil.c errRpt.c form_post.c uginfo.c
Log Message:
Bug(s) fixed: 186280
Bug Description: Close potential security vulnerabilities in CGI code
Reviewed by: Noriko (Thanks!)
Fix Description: The code was already pretty clean in terms of buffer
access. I added some malloc return checking, used some nspr functions
where applicable, removed some dead code, and fixed a couple of small
memory leaks.
Platforms tested: Fedora Core 5
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Index: admutil.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/admutil.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- admutil.c 6 Dec 2005 18:38:37 -0000 1.2
+++ admutil.c 22 Mar 2006 23:47:14 -0000 1.3
@@ -986,10 +986,21 @@
LDAPMod *newMod;
newMod = (LDAPMod*)PR_Malloc(sizeof(LDAPMod));
+ if (!newMod) {
+ return newMod;
+ }
newMod->mod_op = mode;
newMod->mod_type = PL_strdup(namep);
+ if (namep && !newMod->mod_type) {
+ deleteMod(newMod);
+ return NULL;
+ }
if (values) {
newMod->mod_values = admutil_strsdup(values);
+ if (!newMod->mod_values) {
+ deleteMod(newMod);
+ return NULL;
+ }
}
else if (mode != LDAP_MOD_ADD) {
newMod->mod_values = NULL;
@@ -997,7 +1008,15 @@
else {
/* For LDAP_MOD_ADD attribute value must be specified */
newMod->mod_values = (char**)PR_Malloc(2*sizeof(char*));
+ if (!newMod->mod_values) {
+ deleteMod(newMod);
+ return NULL;
+ }
newMod->mod_values[0] = PL_strdup("");
+ if (!newMod->mod_values[0]) {
+ deleteMod(newMod);
+ return NULL;
+ }
newMod->mod_values[1] = NULL;
}
@@ -1036,7 +1055,11 @@
admUriUnescape(char *s)
{
char *t, *u;
-
+
+ if (!s) {
+ return;
+ }
+
for(t = s, u = s; *t; ++t, ++u) {
if((*t == '%') && t[1] && t[2]) {
*u = ((t[1] >= 'A' ? ((t[1] & 0xdf) - 'A')+10 : (t[1] - '0'))*16) +
@@ -1106,6 +1129,12 @@
memset(admInfo, '\0', sizeof(AdmldapHdnl));
admInfo->configFilePath = PL_strdup(path);
+ if (!admInfo->configFilePath) {
+ PR_Free(admInfo);
+ *errorcode = ADMUTIL_SYSTEM_ERR;
+ return NULL;
+ }
+
admInfo->configInfo = configInfo;
@@ -1137,6 +1166,12 @@
}
admInfo->serverDirectoryURL = PL_strdup(ldapurl);
+ if (!admInfo->serverDirectoryURL) {
+ /* Error open file */
+ *errorcode = ADMUTIL_SYSTEM_ERR;
+ destroyAdmldap((AdmldapInfo)admInfo);
+ return NULL;
+ }
if (ldap_url_parse(ldapurl, &ldapInfo)) {
*errorcode = ADMUTIL_SYSTEM_ERR;
Index: errRpt.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/errRpt.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- errRpt.c 20 Jul 2005 22:51:32 -0000 1.1.1.1
+++ errRpt.c 22 Mar 2006 23:47:14 -0000 1.2
@@ -126,12 +126,22 @@
char *verbose_err()
{
/* Convert to use NSPR */
- char errMsg[1024];
- int errMsgLen = 0;
-
- errMsgLen = PR_GetErrorText(errMsg);
- if (errMsgLen) return alert_wrd_wrap(errMsg, WORD_WRAP_WIDTH, "\\n");
- else return NULL;
+ char *retval = NULL;
+ char *errMsg = NULL;
+ PRInt32 errMsgLen = 0;
+
+ errMsgLen = PR_GetErrorTextLength();
+ if (errMsgLen > 0) {
+ errMsg = PR_Malloc(errMsgLen+1);
+ if (errMsg) {
+ errMsgLen = PR_GetErrorText(errMsg);
+ if (errMsgLen) {
+ retval = alert_wrd_wrap(errMsg, WORD_WRAP_WIDTH, "\\n");
+ }
+ PR_Free(errMsg);
+ }
+ }
+ return retval;
}
#endif /* XP_WIN32 */
Index: form_post.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/form_post.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- form_post.c 20 Jul 2005 22:51:32 -0000 1.1.1.1
+++ form_post.c 22 Mar 2006 23:47:14 -0000 1.2
@@ -36,10 +36,6 @@
#define BIG_LINE 1024
#endif
-#if 0
-#define SUCCESS_HTML "success.html"
-#endif
-
static char **input;
#ifdef XP_WIN32
@@ -97,27 +93,42 @@
int cl;
if(!(tmp = getenv("CONTENT_LENGTH"))) {
- if (admutil_i18nResource) {
- rpt_err(INCORRECT_USAGE,
- (char*)res_getstring(admutil_i18nResource,
- DBT_formPost_Browser_err,
- admutil_acceptLang),
- (char*)res_getstring(admutil_i18nResource,
- DBT_formPost_Browser_errDetail,
- admutil_acceptLang),
- NULL);
- }
- else {
- rpt_err(INCORRECT_USAGE,
- "Browser Error",
- "Your browser sent no content length with a POST command. Please be sure to use a fully compliant browser.",
- NULL);
- }
+ if (admutil_i18nResource) {
+ rpt_err(INCORRECT_USAGE,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_Browser_err,
+ admutil_acceptLang),
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_Browser_errDetail,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(INCORRECT_USAGE,
+ "Browser Error",
+ "Your browser sent no content length with a POST command. Please be sure to use a fully compliant browser.",
+ NULL);
+ }
}
cl = atoi(tmp);
- vars = (char *)PR_Malloc(cl+1);
+ if (!(vars = (char *)PR_Malloc(cl+1))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to read in the POST parameters.",
+ NULL);
+ }
+ }
if( !(fread(vars, 1, cl, in)) ) {
if (admutil_i18nResource) {
@@ -150,12 +161,28 @@
PR_IMPLEMENT(char **)
string_to_vec(char *in)
{
- char **ans;
+ char **ans = NULL;
int vars = 0;
register int x = 0;
char *tmp;
- in = PL_strdup(in);
+ if (!(in = PL_strdup(in))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to read in the POST parameters.",
+ NULL);
+ }
+ return ans;
+ }
while(in[x])
if(in[x++]=='=')
@@ -169,11 +196,45 @@
PR_Free(in);
return(ans);
}
- ans[x]=PL_strdup(tmp);
+
+ if (!(ans[x]=PL_strdup(tmp))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to read in the POST parameters.",
+ NULL);
+ }
+ return ans;
+ }
+
form_unescape(ans[x++]);
while((tmp = strtok(NULL, "&"))) {
- ans[x] = PL_strdup(tmp);
+ if (!(ans[x] = PL_strdup(tmp))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to read in the POST parameters.",
+ NULL);
+ }
+ return ans;
+ }
form_unescape(ans[x++]);
}
@@ -192,7 +253,24 @@
while(input[x]) {
/* We want to get rid of the =, so len, len+1 */
if((!strncmp(input[x], varname, len)) && (*(input[x]+len) == '=')) {
- ans = PL_strdup(input[x] + len + 1);
+ if (!(ans = PL_strdup(input[x] + len + 1))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to get the parameter.",
+ NULL);
+ }
+ return ans;
+ }
+
if(!strcmp(ans, ""))
ans = NULL;
break;
@@ -247,7 +325,23 @@
if ((!strncmp(input[x], varname, len)) &&
(*(input[x]+len) == '=') &&
(*(input[x]+len+1))) {
- ans[n] = PL_strdup(input[x] + len + 1);
+ if (!(ans[n] = PL_strdup(input[x] + len + 1))) {
+ if (admutil_i18nResource) {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ (char*)res_getstring(admutil_i18nResource,
+ DBT_formPost_PostStdinErr,
+ admutil_acceptLang),
+ NULL);
+ }
+ else {
+ rpt_err(MEMORY_ERROR,
+ NULL,
+ "Could not allocate enough memory to get the parameter.",
+ NULL);
+ }
+ return ans;
+ }
n++;
}
}
@@ -267,54 +361,6 @@
return NULL;
}
-#if 0
-/* Removed since front end is JAVA, no need to send html page back! */
-PR_IMPLEMENT(void)
-return_success(char *description)
-{
- char **config=get_adm_config();
- WSACleanup();
-
- fprintf(stdout, "\n<SCRIPT language=%s>", MOCHA_NAME);
-#ifdef MCC_HTTPD /* template->style usability */
- /* If we're working with styles, jump directly back to the edit style
- * page. */
- if(!strcmp(get_current_typestr(config), TEMPLATE) ||
- ((get_current_restype(config)==PB_NAME) &&
- (strcmp(get_current_resource(config), "default")))) {
- fprintf(stdout, "top.%s.%s.location='%s';",
- BOTTOM_NAME, CONTENT_NAME, "index/tmpled");
- fprintf(stdout, "</SCRIPT>\n");
- } else
-#endif
- fprintf(stdout, "alert('Success!\\n%s');",
- alert_word_wrap(description, WORD_WRAP_WIDTH, "\\n"));
- fprintf(stdout, "</SCRIPT>\n");
- js_open_referer();
-#ifdef NS_MAIL
- char line[BIG_LINE];
- char **config = get_adm_config();
- FILE *html=open_html_file(SUCCESS_HTML);
-
- WSACleanup();
-
- /* Be sure headers are terminated. */
- fputs("\n", stdout);
-
- while(next_html_line(html, line)) {
- if(parse_line(line, config)) {
- if(directive_is(line, "SUCCESS_DESCRIPTION")) {
- fprintf(stdout, "<dl><dt><FONT size=+1>Success!</FONT>\n");
- fprintf(stdout, "<dd>%s\n</dl>", description);
- }
- }
- }
-#endif /* NS_MAIL */
- exit(0);
-}
-#endif /* 0 */
-
-
PR_IMPLEMENT(void)
rm_trail_slash(char *target)
Index: uginfo.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/uginfo.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- uginfo.c 20 Jul 2005 22:51:32 -0000 1.1.1.1
+++ uginfo.c 22 Mar 2006 23:47:14 -0000 1.2
@@ -299,7 +299,15 @@
return 0;
}
- mods = (LDAPMod**)PR_Malloc(6*sizeof(LDAPMod*));
+ if (!(mods = (LDAPMod**)PR_Malloc(6*sizeof(LDAPMod*)))) {
+ *error_code = UG_LDAP_SYSTEM_ERR;
+ if (oldDirectoryURL) PR_Free(oldDirectoryURL);
+ if (oldBindDN) PR_Free(oldBindDN);
+ if (oldBindPassword) PR_Free(oldBindPassword);
+ if (oldDirectoryInfoRef) PR_Free(oldDirectoryInfoRef);
+ return 0;
+ }
+
i = 0;
if (directoryInfoRef) {
if (oldDirectoryURL) {
More information about the Fedora-directory-commits
mailing list