OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7485
Full headers

From: h.b.furuseth@usit.uio.no
Subject: libmdb key/data limits not checked/documented.
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Sun, 06 Jan 2013 17:02:11 +0000
From: h.b.furuseth@usit.uio.no
To: openldap-its@OpenLDAP.org
Subject: libmdb key/data limits not checked/documented.
Full_Name: Hallvard B Furuseth
Version: mdb.master 057e0686303444d56f29a7bee0536e261fdf0b6a
OS: Linux x86_64
URL: 
Submission from: (NULL) (193.69.163.163)
Submitted by: hallvard


mdb_put() not check for too big data.  mdb_cursor_put() does not
check for too big key either.  Nor can I see that ldmb.h documents
the limits, and there is no way to ask liblmdb what the limits are.

This can write an item of size (5000000000 & 0xffffffff) or crash:
  MDB_val k1 = {3, "foo"}, x = {5000000000, NULL};
  mdb_dbi_open(txn, NULL, MDB_CREATE, &dbi);
  mdb_put(txn, dbi, &k1, &x, MDB_RESERVE);

Crash:
  MDB_val k1 = {3, "foo"}, y = {5, "xyzzy"}, z = {10000, calloc(1,10000)};
  mdb_dbi_open(txn, NULL, MDB_CREATE|MDB_DUPSORT, &dbi);
  mdb_put(txn, dbi, &k1, &y, 0);
  mdb_put(txn, dbi, &k1, &z, 0); /* segfault */

Crash:
  MDB_val k2 = {8000, calloc(1, 8000)}, y = {5, "xyzzy"};
  mdb_cursor_put(mc, &k2, &y, 0);
while this gives a proper EINVAL:
  mdb_put(txn, dbi, &k2, &y, 0);
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org