[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5558) Buffer Overflow in back_sock and back_shell

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5558) Buffer Overflow in back_sock and back_shell
From: hyc@symas.com
Date: Sat, 14 Jun 2008 00:54:43 GMT

stef@memberwebs.com wrote:
> Full_Name: Stef Walter
> Version: openldap 2.4.10
> OS: FreeBSD 6.3-RELEASE-p2
> URL: http://memberwebs.com/stef/scraps/openldap24-buffer-overflow.patch
> Submission from: (NULL) (189.162.38.105)
>
>
> The back_sock and back_shell backends have a buffer overflow (off by one)
> problem in their result parsing code in read_and_send_results() lines 82-89 in
> result.c. The buffer is reallocated when an additional string would be too long
> for the buffer, but the string's null terminator is not taken into account.
>
> This can cause a crash in certain situations. These situations are obviously
> data and OS dependent. But with specific data, the crash is reproducible.
>
> Patch which fixes the problem:

Thanks, now fixed in CVS HEAD.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5558) Buffer Overflow in back_sock and back_shell
Next by Date: Re: (ITS#5549) slapd SEGV faults in entry_partsize when monitoring
Index(es):
- Chronological
- Thread