[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability

On 12/09/15 16:24, michael@stroeder.com wrote:
> I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
> help. slapd still crashes when hitting the assert.

Yes, portable.h #undefs it by default.  OpenLDAP has always conflated
logging, debug output and asserts behind LDAP_DEBUG.  We've been saying
for some time that we really ought to do something about that someday...

Even ignoring that, demanding -NDEBUG is backwards in so many ways:

Using C's features like <assert.h> is not the user's job, it's
OpenLDAP's (i.e. configure and portable.hin).  The person building
OpenLDAP might not even be a C programmer who knows about the C
language quirk that it has a feature makes errors crash by default.

A simple "./configure --prefix=/whatever" ought to be a reasonable way
to build OpenLDAP, like with most other packages.  There are
installation instructions and they do not mention NDEBUG.

In particular since this isn't even about catching a bug in OpenLDAP,
but in the input.  If someone wants to crash-debug the input to slapd,
let him #define something when building slapd.  You could replace the
assert() with debug_assert() or something.  The same goes for any
other assert which doesn't mean "assert(the code is correct)".