[PATCH] Setting nTSecurityDescriptor via LDAP fails

Zahari Zahariev zahari.zahariev at postpath.com
Fri Mar 20 10:53:16 GMT 2009 

Hello,

I am sending again the patch for nTSecurityDescriptor bug with LDAP 
(null character '\0' issue in the middle of object property value).

Hope it is OK now.

-Zahari, Sofia
-------------- next part --------------
>From 49b57287305ca8ba5106fc04dacbfbf8c69161af Mon Sep 17 00:00:00 2001
From: zahari <zahari at darkstar.zahari.local>
Date: Fri, 20 Mar 2009 12:03:29 +0200
Subject: [PATCH] Setting nTSecurityDescriptor via LDAP fails

Fix for the problem was substitute talloc_strndup() with
talloc_memdup(), allocate 1 more character and put null character
('\0') in the extra place so data copied is null terminated.
---
 source4/lib/ldb/pyldb.c              |    6 ++++--
 source4/lib/ldb/tests/python/ldap.py |   14 ++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/source4/lib/ldb/pyldb.c b/source4/lib/ldb/pyldb.c
index 81b9609..aa3f02b 100644
--- a/source4/lib/ldb/pyldb.c
+++ b/source4/lib/ldb/pyldb.c
@@ -1273,9 +1273,11 @@ struct ldb_message_element *PyObject_AsMessageElement(TALLOC_CTX *mem_ctx,
 		me->num_values = 1;
 		me->values = talloc_array(me, struct ldb_val, me->num_values);
 		me->values[0].length = PyString_Size(set_obj);
-		me->values[0].data = (uint8_t *)talloc_strndup(me->values,
+		me->values[0].data = (uint8_t *)talloc_memdup(me->values,
 					PyString_AsString(set_obj),
-					me->values[0].length);
+					me->values[0].length + 1);
+		me->values[0].data[me->values[0].length] = '\0';
+
 	} else if (PySequence_Check(set_obj)) {
 		int i;
 		me->num_values = PySequence_Size(set_obj);
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index a30273f..1824053 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -90,6 +90,20 @@ class BasicTests(unittest.TestCase):
         except LdbError, (num, _): 
             self.assertEquals(num, ERR_NO_SUCH_OBJECT)
 
+    def test_zero_byte_string(self):
+        """ Testing we do not get trapped in the '\0' byte in a property string"""
+        user_dn = "cn=ldaptestuser,cn=users," + self.base_dn
+        self.delete_force(self.ldb, user_dn)
+        ldb.add({
+            "dn" : user_dn,
+            "objectclass" : "user",
+            "cN" : "LDAPtestUSER",
+            "givenname" : "ldap",
+            "displayname" : "foo\0bar",
+        })
+        res = self.ldb.search( self.base_dn, expression="(dn=%s)" % user_dn )
+        self.assertEquals( "foo\0bar", res[0]["displayname"][0] )
+
     def test_all(self):
         """Basic tests"""
 
-- 
1.5.6.3

More information about the samba-technical mailing list