[Date Prev][Date Next] [Chronological] [Thread] [Top]

Memory allocation bug in SASL code (ITS#1714)

To: openldap-its@OpenLDAP.org
Subject: Memory allocation bug in SASL code (ITS#1714)
From: simon@sxw.org.uk
Date: Tue, 2 Apr 2002 20:51:56 GMT

Full_Name: Simon Wilkinson
Version: 2.1.0alpha
OS: Linux
URL: 
Submission from: (NULL) (213.1.185.214)


There's a bug in the memory allocation in slap_sasl_getdn in sasl.c, which
results
in the string allocated having insufficient space for the terminating 'NULL'
character. This scribbles on malloc's stack and leads to random segmentation 
faults later.

'len' is assembled between lines 211 -> 218. At no point is space for the
terminating character added. Running under Electric Fence shows the error when
the final character is added by the last slap_strcopy.

Fix seems fairly simple - I've attached a quick diff below - hopefully it won't
be too corrupted by your ITS.

diff -u -r1.82 sasl.c
--- sasl.c      2002/03/11 02:05:43     1.82
+++ sasl.c      2002/04/02 20:42:33
@@ -220,7 +220,7 @@
 
                /* Build the new dn */
                c1 = dn->bv_val;
-               dn->bv_val = ch_malloc( len );
+               dn->bv_val = ch_malloc( len+1 );
                p = slap_strcopy( dn->bv_val, "uid=" );
                p = slap_strcopy( p, c1 );
                ch_free( c1 );

Prev by Date: Cyrus IMAP/SASLV2 -> salsauthd -> PAM -> LDAP; indexing uid? (ITS#1713)
Next by Date: Untested patch: back-tcl used wrong types (ITS#1719)
Index(es):
- Chronological
- Thread