Univention Bugzilla – Bug 30227
Wrong prefix-comparison in listener / notifier
Last modified: 2016-07-21 15:15:57 CEST
Exmaple from management/univention-directory-listener/src/cache_entry:228 > if (!strncmp(ucrval, "yes", strlen("yes")) || !strncmp(ucrval, "true", strlen("true"))) That only compares ucrval for a prefix, that is every string starting with "yes" or "true" like "yes123" are also valid. This should be changed to s a simple strcmp(ucrval, "yes") which is secure, since the second string is constant and there is no need to explicitly limit the length. Patch: $ find -type f -name \*.c -exec sed -i -e 's|strncmp *( *\([^", ]\+\) *, *\("[^"]\+"\) *, *strlen *( *\2 *) *)|strcmp(\1, \2)|g' {} + Locations: $ find -type f -name \*.c -exec grep -n 'strncmp *( *\([^", ]\+\) *, *\("[^"]\+"\) *, *strlen *( *\2 *) *)' {} + ./management/univention-directory-notifier/src/notify.c:676: if ( !strncmp(line, "dn: ", strlen("dn: ")) ) { ./management/univention-directory-notifier/src/notify.c:681: if ( !strncmp(line, "changetype: ", strlen("changetype: ")) ) { ./management/univention-directory-notifier/src/notify.c:699: if ( !strncmp(line, "newrdn: ", strlen("newrdn: ")) ) { ./management/univention-directory-notifier/src/notify.c:704: if ( !strncmp(line, "newsuperior: ", strlen("newsuperior: ")) ) { ./management/univention-directory-notifier/src/notify.c:709: if ( !strncmp(line, "deleteoldrdn: 0", strlen("deleteoldrdn: 0")) ) { ./management/univention-directory-notifier/src/notify.c:712: if ( !strncmp(line, "deleteoldrdn: 1", strlen("deleteoldrdn: 1")) ) { ./management/univention-directory-notifier/src/callback.c:149: if ( !strncmp(network_line, "MSGID: ", strlen("MSGID: ")) ) { ./management/univention-directory-notifier/src/callback.c:157: } else if ( !strncmp(network_line, "Version: ", strlen("Version: ")) ) { ./management/univention-directory-notifier/src/callback.c:177: } else if ( !strncmp(network_line, "Capabilities: ", strlen("Capabilities: ")) ) { ./management/univention-directory-notifier/src/callback.c:202: } else if ( !strncmp(network_line, "GET_DN ", strlen("GET_DN ")) && msg_id != UINT32_MAX && network_client_get_version(fd) > 0) { ./management/univention-directory-notifier/src/callback.c:263: } else if ( !strncmp(network_line, "GET_ID", strlen("GET_ID")) && msg_id != UINT32_MAX && network_client_get_version(fd) > 0) { ./management/univention-directory-notifier/src/callback.c:277: } else if ( !strncmp(network_line, "GET_SCHEMA_ID", strlen("GET_SCHEMA_ID")) && msg_id != UINT32_MAX && network_client_get_version(fd) > 0) { ./management/univention-directory-notifier/src/callback.c:293: } else if ( !strncmp(network_line, "ALIVE", strlen("ALIVE")) && msg_id != UINT32_MAX && network_client_get_version(fd) > 0) { ./management/univention-directory-listener/src/cache_entry.c:226: if ( !strncmp(cache_entry->attributes[cache_entry->attribute_count]->name, "memberUid", strlen("memberUid")) ) { ./management/univention-directory-listener/src/cache_entry.c:236: if ( !strncmp(cache_entry->attributes[cache_entry->attribute_count]->name, "uniqueMember", strlen("uniqueMember")) ) {
r69893 | Bug #30227 UDL: Fix string prefix comparison Package: univention-directory-listener Version: 10.0.0-11.315.201606071717 Branch: ucs_4.1-0 Scope: errata4.1-2 r69910 | Bug #22383,Bug #30227,Bug #30263,Bug #34324,Bug #34507,Bug #34738,Bug #3490,Bug #38696,Bug #39509,Bug #40600,Bug #41261: UDL YAML univention-directory-listener.yaml
Code review: Ok Advisory: Ok
What about the locations your found in univention-directory-notifier? Clone this bug for that cleanup?
<http://errata.software-univention.de/ucs/4.1/215.html>