[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap_controls_dup() writes beyond allocated memory (ITS#1898)

Full_Name: David Steck
Version: OPENLDAP_REL_ENG_2_1_2
OS: Windows
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

ldap_controls_dup() allocates an array of LDAPControl pointers.
It doesn't allocate one for the NULL pointer at the end, but writes to it.

Simple patch in libraries\libldap\controls.c:

<       new = (LDAPControl **) LDAP_MALLOC( i * sizeof(LDAPControl *) );
>       new = (LDAPControl **) LDAP_MALLOC( (i+1) * sizeof(LDAPControl *) );