[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7582) Access to uninitialized memory when sending cldap packet

stefw@redhat.com wrote:
> Full_Name: Stef Walter
> Version: 2.4.35
> OS: Fedora 18
> URL: http://fedorapeople.org/~stefw/patches/openldap-01/0001-Fix-usage-of-uninitialized-memory-when-sending-cldap.patch
> Submission from: (NULL) (
> When sending a cldap (UDP) packet, like a search request, uninitialized memory
> is accessed. This shows up in valgrind like this:
> ==31445== Conditional jump or move depends on uninitialised value(s)
> ==31445==    at 0x36632244E6: ldap_send_server_request (request.c:377)
> ==31445==    by 0x36632247C2: ldap_send_initial_request (request.c:166)
> ==31445==    by 0x36632142F8: ldap_pvt_search (search.c:128)
> ==31445==    by 0x366321454F: ldap_search_ext (search.c:69)
> ==31445==    by 0x400838: main (in /data/projects/openldap/frob-cldap-search)
> ==31445==
> This is due to parsing the resulting packet to pull out a requestDN. UDP packets
> have different BER layout, and therefore the assumptions made when parsing the
> outgoing request are invalid.
> It does not seem necessary to track the request DN for UDP packets. The linked
> patch disables this code path for UDP packets.
> Patch which fixes the issue:
> http://fedorapeople.org/~stefw/patches/openldap-01/0001-Fix-usage-of-uninitialized-memory-when-sending-cldap.patch
> Test code for the issue:
> http://fedorapeople.org/~stefw/patches/openldap-01/frob-cldap-search.c
> Note that the test code doesn't detect the issue on its own (or do anything
> useful). Use valgrind to detect the issue:
> $ gcc -o frob-cldap-search -Wall -lldap -llber frob-cldap-search.c
> $ valgrind ./frob-cldap-search

Your patch doesn't fix the issue. The behavior under valgrind is unchanged 
either way. Seems you're missing a '!' in your test.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/