[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
potential crash in C SKD ber_scanf() (ITS#1410)
Full_Name: George Powers
Version: 2.0.18
OS: NT
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (207.78.98.2)
Here's an extract from ber_scanf():
case 'v': /* sequence of strings */
sss = va_arg( ap, char *** );
*sss = NULL;
j = 0;
for ( tag = ber_first_element( ber, &len, &last );
tag != LBER_DEFAULT && rc != LBER_DEFAULT;
tag = ber_next_element( ber, &len, last ) )
{
*sss = (char **) LBER_REALLOC( *sss,
(j + 2) * sizeof(char *) );
rc = ber_get_stringa( ber, &((*sss)[j]) );
j++;
}
if ( j > 0 )
(*sss)[j] = NULL;
break;
If LBER_REALLOC() fails, ber_get_stringa() will write to an offset from a null
pointer.