Full_Name: Dave Daugherty Version: 2.2.6 and 2.4.17 OS: RedHat EL3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (63.170.119.248)
We use ber_flatten2 in an unusual way, but I think this issue is generic
int ber_flatten2( BerElement *ber, struct berval *bv, int alloc ) {
/* copy the berval */ ber_len_t len = ber_pvt_ber_write( ber );
if ( alloc ) { bv->bv_val = (char *) ber_memalloc_x( len + 1, ber->ber_memctx ); if ( bv->bv_val == NULL ) { return -1; } AC_MEMCPY( bv->bv_val, ber->ber_buf, len );
} else { bv->bv_val = ber->ber_buf; }
bv->bv_val[len] = '\0'; <- ???? bv->bv_len = len;
The problem I have is a crash, because of the bv->bv_val[len] = \0 when alloc is set to zero, AND the buffer that was passed in was generated by ber_realloc, which did not leave an extra byte at the end, resulting in a write beyond the allocated memory block.
The questions I have are:
1) Is the zero terminator really necessary?
2) If so, seems like it should only be done if we actually allocated a new buffer (which does leave one byte at the end).