[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
From: hyc@symas.com
Date: Sat, 12 Sep 2015 20:49:42 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

h.b.furuseth@usit.uio.no wrote:
> On 12/09/15 16:24, michael@stroeder.com wrote:
>> I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
>> help. slapd still crashes when hitting the assert.
>
> Yes, portable.h #undefs it by default.  OpenLDAP has always conflated
> logging, debug output and asserts behind LDAP_DEBUG.  We've been saying
> for some time that we really ought to do something about that someday...

Yes, and that's more obviously a bug that we can fix.

> Even ignoring that, demanding -NDEBUG is backwards in so many ways:
>
> Using C's features like <assert.h> is not the user's job, it's
> OpenLDAP's (i.e. configure and portable.hin).  The person building
> OpenLDAP might not even be a C programmer who knows about the C
> language quirk that it has a feature makes errors crash by default.

It is standard practice in C code. assert() and NDEBUG are part of the C 
standard. A person who doesn't know C has no business building the code. 
Certainly the libraries are of no use to them if they're not C programmers 
already.

> A simple "./configure --prefix=/whatever" ought to be a reasonable way
> to build OpenLDAP, like with most other packages.  There are
> installation instructions and they do not mention NDEBUG.
>
> In particular since this isn't even about catching a bug in OpenLDAP,
> but in the input.  If someone wants to crash-debug the input to slapd,
> let him #define something when building slapd.  You could replace the
> assert() with debug_assert() or something.  The same goes for any
> other assert which doesn't mean "assert(the code is correct)".

Every use of assert is "assert(the code is correct)" - but that often depends 
on dynamic state, not just the statically written code. Just like 
"assert(SOCKBUF_VALID(sb))" or whatever else. That is the case for the assert 
in question here.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7964) overlay rwm escape issue with more the 9 rules / rewrite statements
Next by Date: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
Index(es):
- Chronological
- Thread