decode.c revision 1.2 
1/*	$NetBSD: decode.c,v 1.2 2020/08/11 13:15:37 christos Exp $	*/
2
3/* decode.c - ber input decoding routines */
4/* $OpenLDAP$ */
5/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
6 *
7 * Copyright 1998-2020 The OpenLDAP Foundation.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted only as authorized by the OpenLDAP
12 * Public License.
13 *
14 * A copy of this license is available in the file LICENSE in the
15 * top-level directory of the distribution or, alternatively, at
16 * <http://www.OpenLDAP.org/license.html>.
17 */
18/* Portions Copyright (c) 1990 Regents of the University of Michigan.
19 * All rights reserved.
20 *
21 * Redistribution and use in source and binary forms are permitted
22 * provided that this notice is preserved and that due credit is given
23 * to the University of Michigan at Ann Arbor. The name of the University
24 * may not be used to endorse or promote products derived from this
25 * software without specific prior written permission. This software
26 * is provided ``as is'' without express or implied warranty.
27 */
28/* ACKNOWLEDGEMENTS:
29 * This work was originally developed by the University of Michigan
30 * (as part of U-MICH LDAP).
31 */
32
33#include <sys/cdefs.h>
34__RCSID("$NetBSD: decode.c,v 1.2 2020/08/11 13:15:37 christos Exp $");
35
36#include "portable.h"
37
38#include <stdio.h>
39
40#include <ac/stdlib.h>
41#include <ac/stdarg.h>
42#include <ac/string.h>
43#include <ac/socket.h>
44
45#include "lber-int.h"
46
47
48/* out->bv_len should be the buffer size on input */
49int
50ber_decode_oid( BerValue *in, BerValue *out )
51{
52	const unsigned char *der;
53	unsigned long val;
54	unsigned val1;
55	ber_len_t i;
56	char *ptr;
57
58	assert( in != NULL );
59	assert( out != NULL );
60
61	/* need 4 chars/inbyte + \0 for input={7f 7f 7f...} */
62	if ( !out->bv_val || (out->bv_len+3)/4 <= in->bv_len )
63		return -1;
64
65	ptr = NULL;
66	der = (unsigned char *) in->bv_val;
67	val = 0;
68	for ( i=0; i < in->bv_len; i++ ) {
69		val |= der[i] & 0x7f;
70		if ( !( der[i] & 0x80 )) {
71			if ( ptr == NULL ) {
72				/* Initial "x.y": val=x*40+y, x<=2, y<40 if x<2 */
73				ptr = out->bv_val;
74				val1 = (val < 80 ? val/40 : 2);
75				val -= val1*40;
76				ptr += sprintf( ptr, "%u", val1 );
77			}
78			ptr += sprintf( ptr, ".%lu", val );
79			val = 0;
80		} else if ( val - 1UL < LBER_OID_COMPONENT_MAX >> 7 ) {
81			val <<= 7;
82		} else {
83			/* val would overflow, or is 0 from invalid initial 0x80 octet */
84			return -1;
85		}
86	}
87	if ( ptr == NULL || val != 0 )
88		return -1;
89
90	out->bv_len = ptr - out->bv_val;
91	return 0;
92}
93
94/* Return tag, with *bv = rest of element (starting at length octets) */
95static ber_tag_t
96ber_tag_and_rest( const BerElement *ber, struct berval *bv )
97{
98	ber_tag_t	tag;
99	ptrdiff_t	rest;
100	unsigned char	*ptr;
101
102	assert( ber != NULL );
103	assert( LBER_VALID( ber ) );
104
105	ptr = (unsigned char *) ber->ber_ptr;
106	rest = (unsigned char *) ber->ber_end - ptr;
107	if ( rest <= 0 ) {
108		goto fail;
109	}
110
111	tag = ber->ber_tag;
112	if ( (char *) ptr == ber->ber_buf ) {
113		tag = *ptr;
114	}
115	ptr++;
116	rest--;
117	if ( (tag & LBER_BIG_TAG_MASK) != LBER_BIG_TAG_MASK ) {
118		goto done;
119	}
120
121	do {
122		if ( rest <= 0 ) {
123			break;
124		}
125		tag <<= 8;
126		tag |= *ptr++ & 0xffU;
127		rest--;
128
129		if ( ! (tag & LBER_MORE_TAG_MASK) ) {
130			goto done;
131		}
132	} while ( tag <= (ber_tag_t)-1 / 256 );
133
134 fail:
135	/* Error or unsupported tag size */
136	tag = LBER_DEFAULT;
137
138 done:
139	bv->bv_len = rest;
140	bv->bv_val = (char *) ptr;
141	return tag;
142}
143
144/* Return the tag - LBER_DEFAULT returned means trouble */
145ber_tag_t
146ber_get_tag( BerElement *ber )
147{
148	struct berval bv;
149	ber_tag_t tag = ber_tag_and_rest( ber, &bv );
150
151	ber->ber_ptr = bv.bv_val;
152	return tag;
153}
154
155/* Return next element's tag and point *bv at its contents in-place */
156ber_tag_t
157ber_peek_element( const BerElement *ber, struct berval *bv )
158{
159	ber_tag_t	tag;
160	ber_len_t	len, rest;
161	unsigned	i;
162	unsigned char *ptr;
163
164	assert( bv != NULL );
165
166	/*
167	 * Any ber element looks like this: tag length contents.
168	 * Assuming everything's ok, we return the tag, and point
169	 * bv at the contents.
170	 *
171	 * Assumptions:
172	 *	1) definite lengths
173	 *	2) primitive encodings used whenever possible
174	 */
175
176	len = 0;
177
178	/*
179	 * First, we read the tag.
180	 */
181	tag = ber_tag_and_rest( ber, bv );
182
183	rest = bv->bv_len;
184	ptr = (unsigned char *) bv->bv_val;
185	if ( tag == LBER_DEFAULT || rest == 0 ) {
186		goto fail;
187	}
188
189	/*
190	 * Next, read the length.  The first octet determines the length
191	 * of the length.	If bit 8 is 0, the length is the short form,
192	 * otherwise if the octet != 0x80 it's the long form, otherwise
193	 * the ber element has the unsupported indefinite-length format.
194	 * Lengths that do not fit in a ber_len_t are not accepted.
195	 */
196
197	len = *ptr++;
198	rest--;
199
200	if ( len & 0x80U ) {
201		len &= 0x7fU;
202		if ( len - 1U > sizeof(ber_len_t) - 1U || rest < len ) {
203			/* Indefinite-length/too long length/not enough data */
204			goto fail;
205		}
206
207		rest -= len;
208		i = len;
209		for( len = *ptr++ & 0xffU; --i; len |= *ptr++ & 0xffU ) {
210			len <<= 8;
211		}
212	}
213
214	/* BER element should have enough data left */
215	if( len > rest ) {
216	fail:
217		tag = LBER_DEFAULT;
218	}
219
220	bv->bv_len = len;
221	bv->bv_val = (char *) ptr;
222	return tag;
223}
224
225/* Move past next element, point *bv at it in-place, and return its tag.
226 * The caller may \0-terminate *bv, as next octet is saved in ber->ber_tag.
227 * Similar to ber_get_stringbv(ber, bv, LBER_BV_NOTERM) except on error.
228 */
229ber_tag_t
230ber_skip_element( BerElement *ber, struct berval *bv )
231{
232	ber_tag_t tag = ber_peek_element( ber, bv );
233
234	if ( tag != LBER_DEFAULT ) {
235		ber->ber_ptr = bv->bv_val + bv->bv_len;
236		ber->ber_tag = *(unsigned char *) ber->ber_ptr;
237	}
238
239	return tag;
240}
241
242ber_tag_t
243ber_peek_tag(
244	BerElement *ber,
245	ber_len_t *len )
246{
247	struct berval bv;
248	ber_tag_t tag = ber_peek_element( ber, &bv );
249
250	*len = bv.bv_len;
251	return tag;
252}
253
254ber_tag_t
255ber_skip_tag( BerElement *ber, ber_len_t *lenp )
256{
257	struct berval bv;
258	ber_tag_t tag = ber_peek_element( ber, &bv );
259
260	ber->ber_ptr = bv.bv_val;
261	ber->ber_tag = *(unsigned char *) ber->ber_ptr;
262
263	*lenp = bv.bv_len;
264	return tag;
265}
266
267ber_tag_t
268ber_get_int(
269	BerElement *ber,
270	ber_int_t *num )
271{
272	ber_tag_t	tag;
273	ber_len_t	len;
274	struct berval bv;
275
276	assert( num != NULL );
277
278	tag = ber_skip_element( ber, &bv );
279	len = bv.bv_len;
280	if ( tag == LBER_DEFAULT || len > sizeof(ber_int_t) ) {
281		return LBER_DEFAULT;
282	}
283
284	/* parse two's complement integer */
285	if( len ) {
286		unsigned char *buf = (unsigned char *) bv.bv_val;
287		ber_len_t i;
288		ber_int_t netnum = buf[0] & 0xff;
289
290		/* sign extend */
291		netnum = (netnum ^ 0x80) - 0x80;
292
293		/* shift in the bytes */
294		for( i = 1; i < len; i++ ) {
295			netnum = (netnum << 8 ) | buf[i];
296		}
297
298		*num = netnum;
299
300	} else {
301		*num = 0;
302	}
303
304	return tag;
305}
306
307ber_tag_t
308ber_get_enum(
309	BerElement *ber,
310	ber_int_t *num )
311{
312	return ber_get_int( ber, num );
313}
314
315ber_tag_t
316ber_get_stringb(
317	BerElement *ber,
318	char *buf,
319	ber_len_t *len )
320{
321	struct berval bv;
322	ber_tag_t	tag;
323
324	if ( (tag = ber_skip_element( ber, &bv )) == LBER_DEFAULT ) {
325		return LBER_DEFAULT;
326	}
327
328	/* must fit within allocated space with termination */
329	if ( bv.bv_len >= *len ) {
330		return LBER_DEFAULT;
331	}
332
333	memcpy( buf, bv.bv_val, bv.bv_len );
334	buf[bv.bv_len] = '\0';
335
336	*len = bv.bv_len;
337	return tag;
338}
339
340/* Definitions for get_string vector
341 *
342 * ChArray, BvArray, and BvVec are self-explanatory.
343 * BvOff is a struct berval embedded in an array of larger structures
344 * of siz bytes at off bytes from the beginning of the struct.
345 */
346enum bgbvc { ChArray, BvArray, BvVec, BvOff };
347
348/* Use this single cookie for state, to keep actual
349 * stack use to the absolute minimum.
350 */
351typedef struct bgbvr {
352	const enum bgbvc choice;
353	const int option;	/* (ALLOC unless BvOff) | (STRING if ChArray) */
354	ber_len_t siz;		/* input array element size, output count */
355	ber_len_t off;		/* BvOff offset to the struct berval */
356	void *result;
357} bgbvr;
358
359static ber_tag_t
360ber_get_stringbvl( BerElement *ber, bgbvr *b )
361{
362	int i = 0, n;
363	ber_tag_t tag;
364	ber_len_t tot_size = 0, siz = b->siz;
365	char *last, *orig;
366	struct berval bv, *bvp = NULL;
367	union stringbvl_u {
368		char **ca;				/* ChArray */
369		BerVarray ba;			/* BvArray */
370		struct berval **bv;		/* BvVec */
371		char *bo;				/* BvOff */
372	} res;
373
374	tag = ber_skip_tag( ber, &bv.bv_len );
375
376	if ( tag != LBER_DEFAULT ) {
377		tag = 0;
378		orig = ber->ber_ptr;
379		last = orig + bv.bv_len;
380
381		for ( ; ber->ber_ptr < last; i++, tot_size += siz ) {
382			if ( ber_skip_element( ber, &bv ) == LBER_DEFAULT )
383				break;
384		}
385		if ( ber->ber_ptr != last ) {
386			i = 0;
387			tag = LBER_DEFAULT;
388		}
389
390		ber->ber_ptr = orig;
391		ber->ber_tag = *(unsigned char *) orig;
392	}
393
394	b->siz = i;
395	if ( i == 0 ) {
396		return tag;
397	}
398
399	/* Allocate and NULL-terminate the result vector */
400	b->result = ber_memalloc_x( tot_size + siz, ber->ber_memctx );
401	if ( b->result == NULL ) {
402		return LBER_DEFAULT;
403	}
404	switch (b->choice) {
405	case ChArray:
406		res.ca = b->result;
407		res.ca[i] = NULL;
408		break;
409	case BvArray:
410		res.ba = b->result;
411		res.ba[i].bv_val = NULL;
412		break;
413	case BvVec:
414		res.bv = b->result;
415		res.bv[i] = NULL;
416		break;
417	case BvOff:
418		res.bo = (char *) b->result + b->off;
419		((struct berval *) (res.bo + tot_size))->bv_val = NULL;
420		tot_size = 0;
421		break;
422	}
423
424	n = 0;
425	do {
426		tag = ber_get_stringbv( ber, &bv, b->option );
427		if ( tag == LBER_DEFAULT ) {
428			goto failed;
429		}
430
431		/* store my result */
432		switch (b->choice) {
433		case ChArray:
434			res.ca[n] = bv.bv_val;
435			break;
436		case BvArray:
437			res.ba[n] = bv;
438			break;
439		case BvVec:
440			bvp = ber_memalloc_x( sizeof( struct berval ),
441				ber->ber_memctx );
442			if ( !bvp ) {
443				ber_memfree_x( bv.bv_val, ber->ber_memctx );
444				goto failed;
445			}
446			res.bv[n] = bvp;
447			*bvp = bv;
448			break;
449		case BvOff:
450			*(struct berval *)(res.bo + tot_size) = bv;
451			tot_size += siz;
452			break;
453		}
454	} while (++n < i);
455	return tag;
456
457failed:
458	if (b->choice != BvOff) { /* BvOff does not have LBER_BV_ALLOC set */
459		while (--n >= 0) {
460			switch(b->choice) {
461			case ChArray:
462				ber_memfree_x(res.ca[n], ber->ber_memctx);
463				break;
464			case BvArray:
465				ber_memfree_x(res.ba[n].bv_val, ber->ber_memctx);
466				break;
467			case BvVec:
468				ber_memfree_x(res.bv[n]->bv_val, ber->ber_memctx);
469				ber_memfree_x(res.bv[n], ber->ber_memctx);
470				break;
471			default:
472				break;
473			}
474		}
475	}
476	ber_memfree_x(b->result, ber->ber_memctx);
477	b->result = NULL;
478	return LBER_DEFAULT;
479}
480
481ber_tag_t
482ber_get_stringbv( BerElement *ber, struct berval *bv, int option )
483{
484	ber_tag_t	tag;
485	char		*data;
486
487	tag = ber_skip_element( ber, bv );
488	if ( tag == LBER_DEFAULT ||
489		(( option & LBER_BV_STRING ) &&
490		 bv->bv_len && memchr( bv->bv_val, 0, bv->bv_len - 1 )))
491	{
492		bv->bv_val = NULL;
493		return LBER_DEFAULT;
494	}
495
496	data = bv->bv_val;
497	if ( option & LBER_BV_ALLOC ) {
498		bv->bv_val = (char *) ber_memalloc_x( bv->bv_len + 1,
499			ber->ber_memctx );
500		if ( bv->bv_val == NULL ) {
501			return LBER_DEFAULT;
502		}
503
504		if ( bv->bv_len != 0 ) {
505			memcpy( bv->bv_val, data, bv->bv_len );
506		}
507		data = bv->bv_val;
508	}
509	if ( !( option & LBER_BV_NOTERM ))
510		data[bv->bv_len] = '\0';
511
512	return tag;
513}
514
515ber_tag_t
516ber_get_stringbv_null( BerElement *ber, struct berval *bv, int option )
517{
518	ber_tag_t	tag;
519	char		*data;
520
521	tag = ber_skip_element( ber, bv );
522	if ( tag == LBER_DEFAULT || bv->bv_len == 0 ) {
523		bv->bv_val = NULL;
524		return tag;
525	}
526
527	if (( option & LBER_BV_STRING ) &&
528		memchr( bv->bv_val, 0, bv->bv_len - 1 ))
529	{
530		bv->bv_val = NULL;
531		return LBER_DEFAULT;
532	}
533
534	data = bv->bv_val;
535	if ( option & LBER_BV_ALLOC ) {
536		bv->bv_val = (char *) ber_memalloc_x( bv->bv_len + 1,
537			ber->ber_memctx );
538		if ( bv->bv_val == NULL ) {
539			return LBER_DEFAULT;
540		}
541
542		memcpy( bv->bv_val, data, bv->bv_len );
543		data = bv->bv_val;
544	}
545	if ( !( option & LBER_BV_NOTERM ))
546		data[bv->bv_len] = '\0';
547
548	return tag;
549}
550
551ber_tag_t
552ber_get_stringa( BerElement *ber, char **buf )
553{
554	BerValue	bv;
555	ber_tag_t	tag;
556
557	assert( buf != NULL );
558
559	tag = ber_get_stringbv( ber, &bv, LBER_BV_ALLOC | LBER_BV_STRING );
560	*buf = bv.bv_val;
561
562	return tag;
563}
564
565ber_tag_t
566ber_get_stringa_null( BerElement *ber, char **buf )
567{
568	BerValue	bv;
569	ber_tag_t	tag;
570
571	assert( buf != NULL );
572
573	tag = ber_get_stringbv_null( ber, &bv, LBER_BV_ALLOC | LBER_BV_STRING );
574	*buf = bv.bv_val;
575
576	return tag;
577}
578
579ber_tag_t
580ber_get_stringal( BerElement *ber, struct berval **bv )
581{
582	ber_tag_t	tag;
583
584	assert( ber != NULL );
585	assert( bv != NULL );
586
587	*bv = (struct berval *) ber_memalloc_x( sizeof(struct berval),
588		ber->ber_memctx );
589	if ( *bv == NULL ) {
590		return LBER_DEFAULT;
591	}
592
593	tag = ber_get_stringbv( ber, *bv, LBER_BV_ALLOC );
594	if ( tag == LBER_DEFAULT ) {
595		ber_memfree_x( *bv, ber->ber_memctx );
596		*bv = NULL;
597	}
598	return tag;
599}
600
601ber_tag_t
602ber_get_bitstringa(
603	BerElement *ber,
604	char **buf,
605	ber_len_t *blen )
606{
607	ber_tag_t	tag;
608	struct berval	data;
609	unsigned char	unusedbits;
610
611	assert( buf != NULL );
612	assert( blen != NULL );
613
614	if ( (tag = ber_skip_element( ber, &data )) == LBER_DEFAULT ) {
615		goto fail;
616	}
617
618	if ( --data.bv_len > (ber_len_t)-1 / 8 ) {
619		goto fail;
620	}
621	unusedbits = *(unsigned char *) data.bv_val++;
622	if ( unusedbits > 7 ) {
623		goto fail;
624	}
625
626	if ( memchr( data.bv_val, 0, data.bv_len )) {
627		goto fail;
628	}
629
630	*buf = (char *) ber_memalloc_x( data.bv_len, ber->ber_memctx );
631	if ( *buf == NULL ) {
632		return LBER_DEFAULT;
633	}
634	memcpy( *buf, data.bv_val, data.bv_len );
635
636	*blen = data.bv_len * 8 - unusedbits;
637	return tag;
638
639 fail:
640	*buf = NULL;
641	return LBER_DEFAULT;
642}
643
644ber_tag_t
645ber_get_null( BerElement *ber )
646{
647	ber_len_t	len;
648	ber_tag_t	tag = ber_skip_tag( ber, &len );
649
650	return( len == 0 ? tag : LBER_DEFAULT );
651}
652
653ber_tag_t
654ber_get_boolean(
655	BerElement *ber,
656	ber_int_t *boolval )
657{
658	return ber_get_int( ber, boolval );
659}
660
661ber_tag_t
662ber_first_element(
663	BerElement *ber,
664	ber_len_t *len,
665	char **last )
666{
667	assert( last != NULL );
668
669	/* skip the sequence header, use the len to mark where to stop */
670	if ( ber_skip_tag( ber, len ) == LBER_DEFAULT ) {
671		*last = NULL;
672		return LBER_DEFAULT;
673	}
674
675	*last = ber->ber_ptr + *len;
676
677	if ( *len == 0 ) {
678		return LBER_DEFAULT;
679	}
680
681	return ber_peek_tag( ber, len );
682}
683
684ber_tag_t
685ber_next_element(
686	BerElement *ber,
687	ber_len_t *len,
688	LDAP_CONST char *last )
689{
690	assert( ber != NULL );
691	assert( last != NULL );
692	assert( LBER_VALID( ber ) );
693
694	if ( ber->ber_ptr >= last ) {
695		return LBER_DEFAULT;
696	}
697
698	return ber_peek_tag( ber, len );
699}
700
701/* VARARGS */
702ber_tag_t
703ber_scanf ( BerElement *ber,
704	LDAP_CONST char *fmt,
705	... )
706{
707	va_list		ap;
708	LDAP_CONST char		*fmt_reset;
709	char		*s, **ss, ***sss;
710	struct berval	data, *bval, **bvp, ***bvpp;
711	ber_int_t	*i;
712	ber_len_t	*l;
713	ber_tag_t	*t;
714	ber_tag_t	rc;
715	ber_len_t	len;
716
717	va_start( ap, fmt );
718
719	assert( ber != NULL );
720	assert( fmt != NULL );
721	assert( LBER_VALID( ber ) );
722
723	fmt_reset = fmt;
724
725	if ( ber->ber_debug & (LDAP_DEBUG_TRACE|LDAP_DEBUG_BER)) {
726		ber_log_printf( LDAP_DEBUG_TRACE, ber->ber_debug,
727			"ber_scanf fmt (%s) ber:\n", fmt );
728		ber_log_dump( LDAP_DEBUG_BER, ber->ber_debug, ber, 1 );
729	}
730
731	for ( rc = 0; *fmt && rc != LBER_DEFAULT; fmt++ ) {
732		/* When this is modified, remember to update
733		 * the error-cleanup code below accordingly. */
734		switch ( *fmt ) {
735		case '!': { /* Hook */
736				BERDecodeCallback *f;
737				void *p;
738
739				f = va_arg( ap, BERDecodeCallback * );
740				p = va_arg( ap, void * );
741
742				rc = (*f)( ber, p, 0 );
743			} break;
744
745		case 'a':	/* octet string - allocate storage as needed */
746			ss = va_arg( ap, char ** );
747			rc = ber_get_stringa( ber, ss );
748			break;
749
750		case 'A':	/* octet string - allocate storage as needed,
751				 * but return NULL if len == 0 */
752			ss = va_arg( ap, char ** );
753			rc = ber_get_stringa_null( ber, ss );
754			break;
755
756		case 'b':	/* boolean */
757			i = va_arg( ap, ber_int_t * );
758			rc = ber_get_boolean( ber, i );
759			break;
760
761		case 'B':	/* bit string - allocate storage as needed */
762			ss = va_arg( ap, char ** );
763			l = va_arg( ap, ber_len_t * ); /* for length, in bits */
764			rc = ber_get_bitstringa( ber, ss, l );
765			break;
766
767		case 'e':	/* enumerated */
768		case 'i':	/* integer */
769			i = va_arg( ap, ber_int_t * );
770			rc = ber_get_int( ber, i );
771			break;
772
773		case 'l':	/* length of next item */
774			l = va_arg( ap, ber_len_t * );
775			rc = ber_peek_tag( ber, l );
776			break;
777
778		case 'm':	/* octet string in berval, in-place */
779			bval = va_arg( ap, struct berval * );
780			rc = ber_get_stringbv( ber, bval, 0 );
781			break;
782
783		case 'M':	/* bvoffarray - must include address of
784				 * a record len, and record offset.
785				 * number of records will be returned thru
786				 * len ptr on finish. parsed in-place.
787				 */
788		{
789			bgbvr cookie = { BvOff, 0 };
790			bvp = va_arg( ap, struct berval ** );
791			l = va_arg( ap, ber_len_t * );
792			cookie.siz = *l;
793			cookie.off = va_arg( ap, ber_len_t );
794			rc = ber_get_stringbvl( ber, &cookie );
795			*bvp = cookie.result;
796			*l = cookie.siz;
797			break;
798		}
799
800		case 'n':	/* null */
801			rc = ber_get_null( ber );
802			break;
803
804		case 'o':	/* octet string in a supplied berval */
805			bval = va_arg( ap, struct berval * );
806			rc = ber_get_stringbv( ber, bval, LBER_BV_ALLOC );
807			break;
808
809		case 'O':	/* octet string - allocate & include length */
810			bvp = va_arg( ap, struct berval ** );
811			rc = ber_get_stringal( ber, bvp );
812			break;
813
814		case 's':	/* octet string - in a buffer */
815			s = va_arg( ap, char * );
816			l = va_arg( ap, ber_len_t * );
817			rc = ber_get_stringb( ber, s, l );
818			break;
819
820		case 't':	/* tag of next item */
821			t = va_arg( ap, ber_tag_t * );
822			*t = rc = ber_peek_tag( ber, &len );
823			break;
824
825		case 'T':	/* skip tag of next item */
826			t = va_arg( ap, ber_tag_t * );
827			*t = rc = ber_skip_tag( ber, &len );
828			break;
829
830		case 'v':	/* sequence of strings */
831		{
832			bgbvr cookie = {
833				ChArray, LBER_BV_ALLOC | LBER_BV_STRING, sizeof( char * )
834			};
835			rc = ber_get_stringbvl( ber, &cookie );
836			*(va_arg( ap, char *** )) = cookie.result;
837			break;
838		}
839
840		case 'V':	/* sequence of strings + lengths */
841		{
842			bgbvr cookie = {
843				BvVec, LBER_BV_ALLOC, sizeof( struct berval * )
844			};
845			rc = ber_get_stringbvl( ber, &cookie );
846			*(va_arg( ap, struct berval *** )) = cookie.result;
847			break;
848		}
849
850		case 'W':	/* bvarray */
851		{
852			bgbvr cookie = {
853				BvArray, LBER_BV_ALLOC, sizeof( struct berval )
854			};
855			rc = ber_get_stringbvl( ber, &cookie );
856			*(va_arg( ap, struct berval ** )) = cookie.result;
857			break;
858		}
859
860		case 'x':	/* skip the next element - whatever it is */
861			rc = ber_skip_element( ber, &data );
862			break;
863
864		case '{':	/* begin sequence */
865		case '[':	/* begin set */
866			switch ( fmt[1] ) {
867			case 'v': case 'V': case 'W': case 'M':
868				break;
869			default:
870				rc = ber_skip_tag( ber, &len );
871				break;
872			}
873			break;
874
875		case '}':	/* end sequence */
876		case ']':	/* end set */
877			break;
878
879		default:
880			if( ber->ber_debug ) {
881				ber_log_printf( LDAP_DEBUG_ANY, ber->ber_debug,
882					"ber_scanf: unknown fmt %c\n", *fmt );
883			}
884			rc = LBER_DEFAULT;
885			break;
886		}
887	}
888
889	va_end( ap );
890
891	if ( rc == LBER_DEFAULT ) {
892		/*
893		 * Error.  Reclaim malloced memory that was given to the caller.
894		 * Set allocated pointers to NULL, "data length" outvalues to 0.
895		 */
896		va_start( ap, fmt );
897
898		for ( ; fmt_reset < fmt; fmt_reset++ ) {
899		switch ( *fmt_reset ) {
900		case '!': { /* Hook */
901				BERDecodeCallback *f;
902				void *p;
903
904				f = va_arg( ap, BERDecodeCallback * );
905				p = va_arg( ap, void * );
906
907				(void) (*f)( ber, p, 1 );
908			} break;
909
910		case 'a':	/* octet string - allocate storage as needed */
911		case 'A':
912			ss = va_arg( ap, char ** );
913			ber_memfree_x( *ss, ber->ber_memctx );
914			*ss = NULL;
915			break;
916
917		case 'b':	/* boolean */
918		case 'e':	/* enumerated */
919		case 'i':	/* integer */
920			(void) va_arg( ap, ber_int_t * );
921			break;
922
923		case 'l':	/* length of next item */
924			*(va_arg( ap, ber_len_t * )) = 0;
925			break;
926
927		case 'm':	/* berval in-place */
928			bval = va_arg( ap, struct berval * );
929			BER_BVZERO( bval );
930			break;
931
932		case 'M':	/* BVoff array in-place */
933			bvp = va_arg( ap, struct berval ** );
934			ber_memfree_x( *bvp, ber->ber_memctx );
935			*bvp = NULL;
936			*(va_arg( ap, ber_len_t * )) = 0;
937			(void) va_arg( ap, ber_len_t );
938			break;
939
940		case 'o':	/* octet string in a supplied berval */
941			bval = va_arg( ap, struct berval * );
942			ber_memfree_x( bval->bv_val, ber->ber_memctx );
943			BER_BVZERO( bval );
944			break;
945
946		case 'O':	/* octet string - allocate & include length */
947			bvp = va_arg( ap, struct berval ** );
948			ber_bvfree_x( *bvp, ber->ber_memctx );
949			*bvp = NULL;
950			break;
951
952		case 's':	/* octet string - in a buffer */
953			(void) va_arg( ap, char * );
954			*(va_arg( ap, ber_len_t * )) = 0;
955			break;
956
957		case 't':	/* tag of next item */
958		case 'T':	/* skip tag of next item */
959			(void) va_arg( ap, ber_tag_t * );
960			break;
961
962		case 'B':	/* bit string - allocate storage as needed */
963			ss = va_arg( ap, char ** );
964			ber_memfree_x( *ss, ber->ber_memctx );
965			*ss = NULL;
966			*(va_arg( ap, ber_len_t * )) = 0; /* for length, in bits */
967			break;
968
969		case 'v':	/* sequence of strings */
970			sss = va_arg( ap, char *** );
971			ber_memvfree_x( (void **) *sss, ber->ber_memctx );
972			*sss = NULL;
973			break;
974
975		case 'V':	/* sequence of strings + lengths */
976			bvpp = va_arg( ap, struct berval *** );
977			ber_bvecfree_x( *bvpp, ber->ber_memctx );
978			*bvpp = NULL;
979			break;
980
981		case 'W':	/* BerVarray */
982			bvp = va_arg( ap, struct berval ** );
983			ber_bvarray_free_x( *bvp, ber->ber_memctx );
984			*bvp = NULL;
985			break;
986
987		case 'n':	/* null */
988		case 'x':	/* skip the next element - whatever it is */
989		case '{':	/* begin sequence */
990		case '[':	/* begin set */
991		case '}':	/* end sequence */
992		case ']':	/* end set */
993			break;
994
995		default:
996			/* format should be good */
997			assert( 0 );
998		}
999		}
1000
1001		va_end( ap );
1002	}
1003
1004	return rc;
1005}
1006