Full_Name: Matthew Backes
Version: 2.4, HEAD
OS: any
URL:
Submission from: (NULL) (76.88.107.46)
The lockobj's in BDB aren't being DBTzero()'d fully before use; they
consist of more than just .data and .size, so this leaves uninit
memory that gets branched on.
Needs to be applied to HEAD and 2.4. (2.3 as well, for those still
tracking that for some reason, probably all branches with BDB/HDB)
Patch vs HEAD:
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/back-bdb/cache.c,v
retrieving revision 1.214
diff -u -u -r1.214 cache.c
--- cache.c 4 Nov 2009 05:09:51 -0000 1.214
+++ cache.c 29 Mar 2010 16:41:59 -0000
@@ -184,6 +184,7 @@
if ( !lock ) return 0;
+ DBTzero( &lockobj );
lockobj.data = &ei->bei_id;
lockobj.size = sizeof(ei->bei_id) + 1;
@@ -225,6 +226,7 @@
else
db_rw = DB_LOCK_READ;
+ DBTzero( &lockobj );
lockobj.data = &ei->bei_id;
lockobj.size = sizeof(ei->bei_id) + 1;
Index: dn2id.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/back-bdb/dn2id.c,v
retrieving revision 1.169
diff -u -u -r1.169 dn2id.c
--- dn2id.c 15 Feb 2010 14:25:47 -0000 1.169
+++ dn2id.c 29 Mar 2010 16:41:59 -0000
@@ -42,6 +42,7 @@
else
db_rw = DB_LOCK_READ;
+ DBTzero( &lockobj );
lockobj.data = dn->bv_val;
lockobj.size = dn->bv_len;