[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6371) problem with ber_flatten2

Full_Name: Dave Daugherty
Version: 2.2.6 and 2.4.17
OS: RedHat EL3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

We use ber_flatten2 in an unusual way, but I think this issue is generic

int ber_flatten2(
            BerElement *ber,
            struct berval *bv,
            int alloc )


/* copy the berval */
ber_len_t len = ber_pvt_ber_write( ber );

 if ( alloc ) {
            bv->bv_val = (char *) ber_memalloc_x( len + 1, ber->ber_memctx );
            if ( bv->bv_val == NULL ) {
                        return -1;
            AC_MEMCPY( bv->bv_val, ber->ber_buf, len );

} else {
            bv->bv_val = ber->ber_buf;

bv->bv_val[len] = '\0'; <- ????
bv->bv_len = len;

The problem I have is a crash, because of the bv->bv_val[len] = ?\0? when alloc
is set to zero, AND the buffer that was passed in was generated by ber_realloc,
which did not leave an extra byte at the end, resulting in a write beyond the
allocated memory block.

The questions I have are:

1) Is the zero terminator really necessary?

2) If so, seems like it should only be done if we actually allocated a new
buffer (which does leave one byte at the end).