[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- From: hyc@symas.com
- Date: Sat, 12 Sep 2015 20:49:42 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
h.b.furuseth@usit.uio.no wrote:
> On 12/09/15 16:24, michael@stroeder.com wrote:
>> I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
>> help. slapd still crashes when hitting the assert.
>
> Yes, portable.h #undefs it by default. OpenLDAP has always conflated
> logging, debug output and asserts behind LDAP_DEBUG. We've been saying
> for some time that we really ought to do something about that someday...
Yes, and that's more obviously a bug that we can fix.
> Even ignoring that, demanding -NDEBUG is backwards in so many ways:
>
> Using C's features like <assert.h> is not the user's job, it's
> OpenLDAP's (i.e. configure and portable.hin). The person building
> OpenLDAP might not even be a C programmer who knows about the C
> language quirk that it has a feature makes errors crash by default.
It is standard practice in C code. assert() and NDEBUG are part of the C
standard. A person who doesn't know C has no business building the code.
Certainly the libraries are of no use to them if they're not C programmers
already.
> A simple "./configure --prefix=/whatever" ought to be a reasonable way
> to build OpenLDAP, like with most other packages. There are
> installation instructions and they do not mention NDEBUG.
>
> In particular since this isn't even about catching a bug in OpenLDAP,
> but in the input. If someone wants to crash-debug the input to slapd,
> let him #define something when building slapd. You could replace the
> assert() with debug_assert() or something. The same goes for any
> other assert which doesn't mean "assert(the code is correct)".
Every use of assert is "assert(the code is correct)" - but that often depends
on dynamic state, not just the statically written code. Just like
"assert(SOCKBUF_VALID(sb))" or whatever else. That is the case for the assert
in question here.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/