[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6303) Buffer overflow with new glibc

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6303) Buffer overflow with new glibc
From: h.b.furuseth@usit.uio.no
Date: Thu, 24 Sep 2009 15:02:05 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

jzeleny@redhat.com writes:
> I guess new version of glibc has some kind of mechanism which is
> checking boundaries of structures and isn't allowing write out of
> those boundaries.

Could you test if this works instead?
   http://folk.uio.no/hbf/ol-struct-hack-1.patch
If that doesn't work, similar code elsewhere may be in danger.

Not that it's important in this case since the back-ldif code
isn't run often.  It just avoids one malloc, one check for whether
that succeeded, and one free.  Your patch forgot the last two.

Actually the boundary check you mention is exactly the problem the
BVL_NAME macro avoids, though I'm not sure why I didn't just use
the standard "struct hack".  Maybe the problem is with padding
bytes after fname.  Anyway, I suppose this means the old "struct
hack" is now definitely getting dangerous to use.

Whatever is going on, I'd like to find out.  Which versions of gcc
and glibc, and which architecture is this?  (32-bit i683, 64-bit
amd, etc).  And if it doesn't take much time, could you try if
these variants fix the problem too?
   http://folk.uio.no/hbf/ol-struct-hack-2.patch
   http://folk.uio.no/hbf/ol-struct-hack-3.patch
I don't plan to use them, we can use your variant if my first
patch doesn't work.  I'm just curious what's going on.

-- 
Hallvard

Prev by Date: (ITS#6304) Slapd freezes during SSL handshake when TLSVerifyClient=allow
Next by Date: (ITS#6305) slapo-chain(5): description for chain-rebind-as-user missing
Index(es):
- Chronological
- Thread