[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapsearch malloc bug
This problem arose in our Mingw32 port and took until now to figure out:
In this snippet from ldapsearch.c:
if( tmpdir == NULL
&& (tmpdir = getenv("TMPDIR")) == NULL
&& (tmpdir = getenv("TMP")) == NULL
&& (tmpdir = getenv("TEMP")) == NULL )
{
tmpdir = "/tmp";
}
if( urlpre == NULL ) {
urlpre = malloc( sizeof("file:///") + strlen(tmpdir) );
if( urlpre == NULL ) {
perror( "malloc" );
return EXIT_FAILURE;
}
sprintf( urlpre, "file:///%s/",
tmpdir[0] == '/' ? &tmpdir[1] : tmpdir );
/* urlpre should be URLized.... */
}
The buffer length for urlpre is potentially short by one byte. The sprintf
drops the leading character if tmpdir[0] is a '/', so on Unix this buffer
will usually be the correct length. But if the first character is kept, then
you get a buffer overrun. On NT we set TEMPDIR to e.g. "C:\tmp" so this
buffer was always being overrun.
It seems to me that either one more byte needs to be allocated, or the
sprintf statement should be replaced with this:
sprintf( urlpre, "file://%s/", tmpdir);
Any preferences?