[Date Prev][Date Next] [Chronological] [Thread] [Top]

parse_oid() can cause a core dump (ITS#3065)

Full_Name: Paul Kranenburg
Version: 2.2.7
OS: Solaris 9
Submission from: (NULL) (

In libldap/schema.c:parse_oid(), the pointer array `res' is allocated and
with 3 NULL pointers. If this array needs to be expanded (by calling
the additional trailing storage is not initilized, which may lead to problems
if when the array is freed later on, for instance by LDAP_FREE() a few lines
in the same routine which is triggered if the oid list contains syntax errors.

Since the array is expanded by just one element at a time, adding a

    res1[size-1] = NULL;

should solve the problem.