[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6474) test004 (hdb) crashes when slapd is compiled with -D_FORTIFY_SOURCE=2

Full_Name: Ralf Haferkamp
Version: HEAD, RE24
OS: linux (gcc 4.5)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ralf

gcc 4.5 will do some stricter checks for buffer overflows when compiling with 
-D_FORTIFY_SOURCE=2. Current HEAD aborts in test004-modify with:

*** buffer overflow detected ***:
/usr/src/packages/BUILD/openldap-2.4.21/servers/slapd/.libs/slapd terminated
======= Backtrace: =========                                                    
#0  0x00007f207dc6b9c5 in raise () from /lib64/libc.so.6
#1  0x00007f207dc6ced6 in abort () from /lib64/libc.so.6
#2  0x00007f207dca6ba9 in __libc_message () from /lib64/libc.so.6
#3  0x00007f207dd20537 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007f207dd1e2e0 in __chk_fail () from /lib64/libc.so.6
#5  0x00007f207fa89769 in strcpy () at dn2id.c:679

There is no real buffer overflow here AFAICS but the real problem is, that the
destination of the strcpy() is defined as char[1] in this case (it's the nrdn
member of a struct diskNode). The additional runtime check when compiling with 
-D_FORTIFY_SOURCE=2 sees that the destination data will not fit in there and
The easiest fix here (apart from not building with -D_FORTIFY_SOURCE=2) is to
use memcpy instead of strcpy here. I'll submit that later today.