Bug 51864 – Value for ldap/index/eq is longer that the maximum variable length 1024 of the C implementation of UCR

Bug 51864 - Value for ldap/index/eq is longer that the maximum variable length 1024 of the C implementation of UCR


Summary:	Value for ldap/index/eq is longer that the maximum variable length 1024 of th...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UCR
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-08-20 15:34 CEST by Florian Best
Modified:	2024-04-22 14:25 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	bitesize, Error handling
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2020-08-20 15:34:11 CEST

# ucr get ldap/index/eq | wc -c
1687

# ./max_len | wc -c
1009

>>> 1024 - len('ldap/index/eq: ')
1009

// gcc -luniventionconfig max_len.c -o max_len
#include <string.h>
#include <univention/config.h>

int main(void) {
        char *foo = univention_config_get_string("ldap/index/eq");
        if (foo)
                printf("%s\n", foo);
        return 0;
}

Comment 1 Philipp Hahn

2022-11-30 18:48:47 CET

which is no problem as there are only a hand-full of users of the C binding, which all use a limited set of UCRV:
- univention_config_get_string("kerberos/realm")
- univention_config_get_string("ldap/base")
- univention_config_get_string("ldap/server/name")
- univention_config_get_string("ldap/base")
- univention_config_get_string("kerberos/realm")
- univention_config_get_string("ldap/server/addition")
- univention_config_get_string("listener/cache/filter")
- univention_config_get_string("listener/cache/mdb/maxsize")
- univention_config_get_string("listener/memberuid/skip")
- univention_config_get_string("listener/uniquemember/skip")
- univention_config_get_string("server/role")
- univention_config_get_string("listener/network/protocol")
- univention_config_get_int("listener/freespace")
- univention_config_get_string("notifier/server")
- univention_config_get_int("notifier/server/port")
- univention_config_get_string("ldap/master")
- univention_config_get_int("ldap/master/port")
- univention_config_get_string("ldap/backup")
- univention_config_get_int("ldap/backup/port")
- univention_config_get_int("listener/timeout/scans")
- univention_config_get_string("hostname")
- univention_config_get_string("windows/domain")

From those only these can be arbitrary large:
- ldap/server/addition
- listener/cache/filter

While `univention_config_get()` cannot be used to get those over-long UCRV the implementation will will continue to "work" some how, but can be tricked into doing "bad things":

export UNIVENTION_BASECONF=./tmp BASECONFIG_MAX_LINE=1024
chars () { printf '%*s' "$1" '' | tr ' ' "$2"; }
ucr set a="$(chars $((BASECONFIG_MAX_LINE-4)) a)b: b"  # len("a: …\0")=4
cat x.c
 #include <string.h>
 #include <univention/config.h>
 int main(void){printf("%s", univention_config_get_string("b"));return 0;}
gcc -luniventionconfig x.c
[ "$(ucr get b)" = '' ]
[ "$(./a.out)" = 'b' ]

We could easily change it to 4k by default, but should also add proper handling for long lines.

Comment 2 Philipp Hahn

2024-04-22 14:25:05 CEST

base/univention-config-registry/lib/config.c:50 #define BASECONFIG_MAX_LINE 1024