[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5558) Buffer Overflow in back_sock and back_shell

To: openldap-its@OpenLDAP.org
Subject: (ITS#5558) Buffer Overflow in back_sock and back_shell
From: stef@memberwebs.com
Date: Fri, 13 Jun 2008 22:54:01 GMT

Full_Name: Stef Walter
Version: openldap 2.4.10
OS: FreeBSD 6.3-RELEASE-p2
URL: http://memberwebs.com/stef/scraps/openldap24-buffer-overflow.patch
Submission from: (NULL) (189.162.38.105)


The back_sock and back_shell backends have a buffer overflow (off by one)
problem in their result parsing code in read_and_send_results() lines 82-89 in
result.c. The buffer is reallocated when an additional string would be too long
for the buffer, but the string's null terminator is not taken into account. 

This can cause a crash in certain situations. These situations are obviously
data and OS dependent. But with specific data, the crash is reproducible.

Patch which fixes the problem:

--- ../openldap-2.4.10/servers/slapd/back-sock/result.c	2008-02-08
18:46:09.000000000 -0000
+++ servers/slapd/back-sock/result.c	2008-06-13 15:56:46.000000000 -0000
@@ -77,7 +77,7 @@
 		}
 
 		len = strlen( line );
-		while ( bp + len - buf > bsize ) {
+		while ( bp + (len + 1) - buf > bsize ) {
 			size_t offset = bp - buf;
 			bsize += BUFSIZ;
 			buf = (char *) ch_realloc( buf, bsize );
--- ../openldap-2.4.10/servers/slapd/back-shell/result.c	2008-02-11
17:26:47.000000000 -0000
+++ servers/slapd/back-shell/result.c	2008-06-13 15:57:02.000000000 -0000
@@ -80,7 +80,7 @@
 		}
 
 		len = strlen( line );
-		while ( bp + len - buf > bsize ) {
+		while ( bp + (len + 1) - buf > bsize ) {
 			size_t offset = bp - buf;
 			bsize += BUFSIZ;
 			buf = (char *) ch_realloc( buf, bsize );

Prev by Date: (ITS#5557) memory leak in ACL sets
Next by Date: Re: (ITS#5558) Buffer Overflow in back_sock and back_shell
Index(es):
- Chronological
- Thread