Full_Name: Matthew Hardin Version: 2.4.33+ OS: All URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt Submission from: (NULL) (69.43.206.100) contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers and zeros them out in several places using the following macro: MEMSET_BZERO(context, sizeof(context)) The variable 'context' is a pointer to a context buffer, so sizeof will evaluate to the size of a pointer for the particular platform. As a result, the context buffer is only partially zeroed. The correct invocation is: MEMSET_BZERO(context, sizeof(*context)) which will zero out the complete context buffer. The referenced diff details the changes to sha2.c that are necessary to correct this issue. Note this also cleans up warnings reported by MacOS's clang compiler. I, Matthew Hardin, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
--On Friday, January 11, 2013 6:19 AM +0000 mhardin@symas.com wrote: > Full_Name: Matthew Hardin > Version: 2.4.33+ > OS: All > URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt > Submission from: (NULL) (69.43.206.100) > > > contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers > and zeros them out in several places using the following macro: > > MEMSET_BZERO(context, sizeof(context)) > > The variable 'context' is a pointer to a context buffer, so sizeof will > evaluate to the size of a pointer for the particular platform. As a > result, the context buffer is only partially zeroed. > > The correct invocation is: > > MEMSET_BZERO(context, sizeof(*context)) > > which will zero out the complete context buffer. > > The referenced diff details the changes to sha2.c that are necessary to > correct this issue. > > Note this also cleans up warnings reported by MacOS's clang compiler. > > I, Matthew Hardin, hereby place the following modifications to OpenLDAP > Software (and only these modifications) into the public domain. Hence, > these modifications may be freely used and/or redistributed for any > purpose with or without attribution and/or other notice. Can you resubmit the patch using git-format-patch? Or at least using unified diff format? ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
changed notes changed state Release to Closed
Fixed in master Fixed in RE24