[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch malloc bug

To: "Howard Chu" <hyc@highlandsun.com>, <openldap-devel@OpenLDAP.org>
Subject: Re: ldapsearch malloc bug
From: "Bharat Tewari" <tewari@wipinfo.soft.net>
Date: Thu, 2 Dec 1999 09:13:50 +0530
References: <001e01bf3c38$dc341860$0a01a8c0@fiddle.symas.com>

actually the same symptom can be found for the referral string also, when
you send a search request for which the ldap server sends a referral back,
if in the slapd.conf file you have a referral like
ldap://holmes:6001, it would only send back ldap://holmes:600  since i was
too busy trying to understand the referral, i didnt check on where the fault
is rather in my referral parameter i changed
it to ldap://holmes:6001/ and i get the return result as ldap://holmes:6001
By the way i had posted
a query on the functionality on referral to openldap-software, if anyone had
a look can you please answer or i guess i have to understand the rfc2251
better. Oh yeah! i am using the code under development which supports
referrals.
bye
bharat

----- Original Message -----
From: Howard Chu <hyc@highlandsun.com>
To: <openldap-devel@openldap.org>
Sent: Thursday, December 02, 1999 1:45 AM
Subject: ldapsearch malloc bug


> This problem arose in our Mingw32 port and took until now to figure out:
> In this snippet from ldapsearch.c:
>
>         if( tmpdir == NULL
>                 && (tmpdir = getenv("TMPDIR")) == NULL
>                 && (tmpdir = getenv("TMP")) == NULL
>                 && (tmpdir = getenv("TEMP")) == NULL )
>         {
>                 tmpdir = "/tmp";
>         }
>
>         if( urlpre == NULL ) {
>                 urlpre = malloc( sizeof("file:///") + strlen(tmpdir) );
>
>                 if( urlpre == NULL ) {
>                         perror( "malloc" );
>                         return EXIT_FAILURE;
>                 }
>
>                 sprintf( urlpre, "file:///%s/",
>                         tmpdir[0] == '/' ? &tmpdir[1] : tmpdir );
>
>                 /* urlpre should be URLized.... */
>         }
>
> The buffer length for urlpre is potentially short by one byte. The sprintf
> drops the leading character if tmpdir[0] is a '/', so on Unix this buffer
> will usually be the correct length. But if the first character is kept,
then
> you get a buffer overrun. On NT we set TEMPDIR to e.g. "C:\tmp" so this
> buffer was always being overrun.
>
> It seems to me that either one more byte needs to be allocated, or the
> sprintf statement should be replaced with this:
> sprintf( urlpre, "file://%s/", tmpdir);
>
> Any preferences?
>
>

Follow-Ups:
- RE: ldapsearch malloc bug
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- ldapsearch malloc bug
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: ldapsearch malloc bug
Next by Date: RE: ldapsearch malloc bug
Index(es):
- Chronological
- Thread