[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5558) Buffer Overflow in back_sock and back_shell

stef@memberwebs.com wrote:
> Full_Name: Stef Walter
> Version: openldap 2.4.10
> OS: FreeBSD 6.3-RELEASE-p2
> URL: http://memberwebs.com/stef/scraps/openldap24-buffer-overflow.patch
> Submission from: (NULL) (
> The back_sock and back_shell backends have a buffer overflow (off by one)
> problem in their result parsing code in read_and_send_results() lines 82-89 in
> result.c. The buffer is reallocated when an additional string would be too long
> for the buffer, but the string's null terminator is not taken into account.
> This can cause a crash in certain situations. These situations are obviously
> data and OS dependent. But with specific data, the crash is reproducible.
> Patch which fixes the problem:

Thanks, now fixed in CVS HEAD.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/