[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch malloc bug



This problem arose in our Mingw32 port and took until now to figure out:
In this snippet from ldapsearch.c:

        if( tmpdir == NULL
                && (tmpdir = getenv("TMPDIR")) == NULL
                && (tmpdir = getenv("TMP")) == NULL
                && (tmpdir = getenv("TEMP")) == NULL )
        {
                tmpdir = "/tmp";
        }

        if( urlpre == NULL ) {
                urlpre = malloc( sizeof("file:///") + strlen(tmpdir) );

                if( urlpre == NULL ) {
                        perror( "malloc" );
                        return EXIT_FAILURE;
                }

                sprintf( urlpre, "file:///%s/",
                        tmpdir[0] == '/' ? &tmpdir[1] : tmpdir );

                /* urlpre should be URLized.... */
        }

The buffer length for urlpre is potentially short by one byte. The sprintf
drops the leading character if tmpdir[0] is a '/', so on Unix this buffer
will usually be the correct length. But if the first character is kept, then
you get a buffer overrun. On NT we set TEMPDIR to e.g. "C:\tmp" so this
buffer was always being overrun.

It seems to me that either one more byte needs to be allocated, or the
sprintf statement should be replaced with this:
			sprintf( urlpre, "file://%s/", tmpdir);

Any preferences?