Full_Name: Matthew Hardin Version: 2.4.33+ OS: All URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt Submission from: (NULL) (69.43.206.100)
contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers and zeros them out in several places using the following macro:
MEMSET_BZERO(context, sizeof(context))
The variable 'context' is a pointer to a context buffer, so sizeof will evaluate to the size of a pointer for the particular platform. As a result, the context buffer is only partially zeroed.
The correct invocation is:
MEMSET_BZERO(context, sizeof(*context))
which will zero out the complete context buffer.
The referenced diff details the changes to sha2.c that are necessary to correct this issue.
Note this also cleans up warnings reported by MacOS's clang compiler.
I, Matthew Hardin, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.