[Date Prev][Date Next] [Chronological] [Thread] [Top]

Memory allocation bug in SASL code (ITS#1714)

Full_Name: Simon Wilkinson
Version: 2.1.0alpha
OS: Linux
Submission from: (NULL) (

There's a bug in the memory allocation in slap_sasl_getdn in sasl.c, which
in the string allocated having insufficient space for the terminating 'NULL'
character. This scribbles on malloc's stack and leads to random segmentation 
faults later.

'len' is assembled between lines 211 -> 218. At no point is space for the
terminating character added. Running under Electric Fence shows the error when
the final character is added by the last slap_strcopy.

Fix seems fairly simple - I've attached a quick diff below - hopefully it won't
be too corrupted by your ITS.

diff -u -r1.82 sasl.c
--- sasl.c      2002/03/11 02:05:43     1.82
+++ sasl.c      2002/04/02 20:42:33
@@ -220,7 +220,7 @@
                /* Build the new dn */
                c1 = dn->bv_val;
-               dn->bv_val = ch_malloc( len );
+               dn->bv_val = ch_malloc( len+1 );
                p = slap_strcopy( dn->bv_val, "uid=" );
                p = slap_strcopy( p, c1 );
                ch_free( c1 );