[Date Prev][Date Next]
Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
On 12/09/15 16:24, firstname.lastname@example.org wrote:
> I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
> help. slapd still crashes when hitting the assert.
Yes, portable.h #undefs it by default. OpenLDAP has always conflated
logging, debug output and asserts behind LDAP_DEBUG. We've been saying
for some time that we really ought to do something about that someday...
Even ignoring that, demanding -NDEBUG is backwards in so many ways:
Using C's features like <assert.h> is not the user's job, it's
OpenLDAP's (i.e. configure and portable.hin). The person building
OpenLDAP might not even be a C programmer who knows about the C
language quirk that it has a feature makes errors crash by default.
A simple "./configure --prefix=/whatever" ought to be a reasonable way
to build OpenLDAP, like with most other packages. There are
installation instructions and they do not mention NDEBUG.
In particular since this isn't even about catching a bug in OpenLDAP,
but in the input. If someone wants to crash-debug the input to slapd,
let him #define something when building slapd. You could replace the
assert() with debug_assert() or something. The same goes for any
other assert which doesn't mean "assert(the code is correct)".