From 473d44c9de78b9e1e2ab5d60783dad23fc7719f0 Mon Sep 17 00:00:00 2001 From: Martin Hedenfal Date: Thu, 1 Jul 2010 04:21:42 +0000 Subject: If the length of an element being read is larger than what is available in the buffer, return immediately. This fixes reading large messages, and allows bad requests to be cancelled earlier. Originally from Alexander Schrijver, tweaked by me. --- usr.sbin/ldapd/ber.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr.sbin/ldapd/ber.c b/usr.sbin/ldapd/ber.c index 936132cbeb0..e69693bc6a1 100644 --- a/usr.sbin/ldapd/ber.c +++ b/usr.sbin/ldapd/ber.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ber.c,v 1.3 2010/06/08 17:52:47 martinh Exp $ */ +/* $OpenBSD: ber.c,v 1.4 2010/07/01 04:21:41 martinh Exp $ */ /* * Copyright (c) 2007 Reyk Floeter @@ -1065,6 +1065,13 @@ ber_read_element(struct ber *ber, struct ber_element *elm) DPRINTF("ber read element size %zd\n", len); totlen += r + len; + /* If using an external buffer and the total size of the element + * is larger then the external buffer don't bother to continue. */ + if (ber->fd == -1 && totlen > ber->br_rend - ber->br_rbuf) { + errno = ECANCELED; + return -1; + } + elm->be_type = type; elm->be_len = len; elm->be_class = class; -- cgit v1.2.3