Bug 30227 - Wrong prefix-comparison in listener / notifier
Wrong prefix-comparison in listener / notifier
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Listener (univention-directory-listener)
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 4.1-2-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-31 13:37 CET by Philipp Hahn
Modified: 2016-07-21 15:15 CEST (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2013-01-31 13:37:21 CET
Exmaple from management/univention-directory-listener/src/cache_entry:228
> if (!strncmp(ucrval, "yes", strlen("yes")) || !strncmp(ucrval, "true", strlen("true")))

That only compares ucrval for a prefix, that is every string starting with "yes" or "true" like "yes123" are also valid.
This should be changed to s a simple
  strcmp(ucrval, "yes")
which is secure, since the second string is constant and there is no need to explicitly limit the length.

Patch:
$ find -type f -name \*.c -exec sed -i -e 's|strncmp *( *\([^", ]\+\) *, *\("[^"]\+"\) *, *strlen *( *\2 *) *)|strcmp(\1, \2)|g' {} +

Locations:
$ find -type f -name \*.c -exec grep -n 'strncmp *( *\([^", ]\+\) *, *\("[^"]\+"\) *, *strlen *( *\2 *) *)' {} +
./management/univention-directory-notifier/src/notify.c:676:            if ( !strncmp(line, "dn: ", strlen("dn: ")) ) {
./management/univention-directory-notifier/src/notify.c:681:            if ( !strncmp(line, "changetype: ", strlen("changetype: ")) ) {
./management/univention-directory-notifier/src/notify.c:699:            if ( !strncmp(line, "newrdn: ", strlen("newrdn: ")) ) {
./management/univention-directory-notifier/src/notify.c:704:            if ( !strncmp(line, "newsuperior: ", strlen("newsuperior: ")) ) {
./management/univention-directory-notifier/src/notify.c:709:            if ( !strncmp(line, "deleteoldrdn: 0", strlen("deleteoldrdn: 0")) ) {
./management/univention-directory-notifier/src/notify.c:712:            if ( !strncmp(line, "deleteoldrdn: 1", strlen("deleteoldrdn: 1")) ) {
./management/univention-directory-notifier/src/callback.c:149:          if ( !strncmp(network_line, "MSGID: ", strlen("MSGID: ")) ) {
./management/univention-directory-notifier/src/callback.c:157:          } else if ( !strncmp(network_line, "Version: ", strlen("Version: ")) ) {
./management/univention-directory-notifier/src/callback.c:177:          } else if ( !strncmp(network_line, "Capabilities: ", strlen("Capabilities: ")) ) {
./management/univention-directory-notifier/src/callback.c:202:          } else if ( !strncmp(network_line, "GET_DN ", strlen("GET_DN ")) && msg_id != UINT32_MAX && network_client_get_version(fd) > 0) {
./management/univention-directory-notifier/src/callback.c:263:          } else if ( !strncmp(network_line, "GET_ID", strlen("GET_ID")) && msg_id != UINT32_MAX  && network_client_get_version(fd) > 0) {
./management/univention-directory-notifier/src/callback.c:277:          } else if ( !strncmp(network_line, "GET_SCHEMA_ID", strlen("GET_SCHEMA_ID")) && msg_id != UINT32_MAX  && network_client_get_version(fd) > 0) {
./management/univention-directory-notifier/src/callback.c:293:          } else if ( !strncmp(network_line, "ALIVE", strlen("ALIVE")) && msg_id != UINT32_MAX  && network_client_get_version(fd) > 0) {
./management/univention-directory-listener/src/cache_entry.c:226:               if ( !strncmp(cache_entry->attributes[cache_entry->attribute_count]->name, "memberUid", strlen("memberUid")) ) {
./management/univention-directory-listener/src/cache_entry.c:236:               if ( !strncmp(cache_entry->attributes[cache_entry->attribute_count]->name, "uniqueMember", strlen("uniqueMember")) ) {
Comment 1 Philipp Hahn univentionstaff 2016-06-07 18:12:55 CEST
r69893 | Bug #30227 UDL: Fix string prefix comparison

Package: univention-directory-listener
Version: 10.0.0-11.315.201606071717
Branch: ucs_4.1-0
Scope: errata4.1-2

r69910 | Bug #22383,Bug #30227,Bug #30263,Bug #34324,Bug #34507,Bug #34738,Bug #3490,Bug #38696,Bug #39509,Bug #40600,Bug #41261: UDL YAML
 univention-directory-listener.yaml
Comment 2 Arvid Requate univentionstaff 2016-07-14 22:01:09 CEST
Code review: Ok 
Advisory: Ok
Comment 3 Arvid Requate univentionstaff 2016-07-14 22:03:24 CEST
What about the locations your found in univention-directory-notifier? Clone this bug for that cleanup?
Comment 4 Janek Walkenhorst univentionstaff 2016-07-21 15:15:57 CEST
<http://errata.software-univention.de/ucs/4.1/215.html>