Logged in as guest
Viewing Software Bugs/7485 Full headers
Major security issue: yes no
Notes: fixed in master fixed in RE24 Notification:
Date: Sun, 06 Jan 2013 17:02:11 +0000 From: h.b.furuseth@usit.uio.no To: openldap-its@OpenLDAP.org Subject: libmdb key/data limits not checked/documented.
Full_Name: Hallvard B Furuseth Version: mdb.master 057e0686303444d56f29a7bee0536e261fdf0b6a OS: Linux x86_64 URL: Submission from: (NULL) (193.69.163.163) Submitted by: hallvard mdb_put() not check for too big data. mdb_cursor_put() does not check for too big key either. Nor can I see that ldmb.h documents the limits, and there is no way to ask liblmdb what the limits are. This can write an item of size (5000000000 & 0xffffffff) or crash: MDB_val k1 = {3, "foo"}, x = {5000000000, NULL}; mdb_dbi_open(txn, NULL, MDB_CREATE, &dbi); mdb_put(txn, dbi, &k1, &x, MDB_RESERVE); Crash: MDB_val k1 = {3, "foo"}, y = {5, "xyzzy"}, z = {10000, calloc(1,10000)}; mdb_dbi_open(txn, NULL, MDB_CREATE|MDB_DUPSORT, &dbi); mdb_put(txn, dbi, &k1, &y, 0); mdb_put(txn, dbi, &k1, &z, 0); /* segfault */ Crash: MDB_val k2 = {8000, calloc(1, 8000)}, y = {5, "xyzzy"}; mdb_cursor_put(mc, &k2, &y, 0); while this gives a proper EINVAL: mdb_put(txn, dbi, &k2, &y, 0);
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
