[Issue 10077] New: Integer overflow in util-int.c

https://bugs.openldap.org/show_bug.cgi?id=10077

Issue ID: 10077 Summary: Integer overflow in util-int.c Product: OpenLDAP Version: 2.6.3 Hardware: All OS: Windows Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: michal.pura@gmail.com Target Milestone: ---

Created attachment 971 --> https://bugs.openldap.org/attachment.cgi?id=971&action=edit the fix proposal for ldap_pvt_gettimensec() function

Hello, I found the issue with contextCNS generating process which cause that its format is invalid (minus sign in nanoseconds filed).

Example: "generated new csn=20230630080704.-489933Z#000000#000#000000"

The bug can introduce the minus sign in the contextCSN what could have an impact in replication process, backup restoring etc. Everywhere when the format of contextCSN is checked before processing it.

According to the source code and reference documents the contextCSN nanoseconds filed should have the value from range: 000000-999999.

https://www.openldap.org/faq/data/cache/1145.html

The problem is in the function ldap_pvt_gettimensec() in util-int.c file. For example in line:

count.QuadPart += (10 * BILLION);

The value of (10 * BILLION) will be treated as 32-bit value by compilator and will cause the integer overflow. Then the random value is added to count.QuadPart what in some specific cases can produce the negative value which is returned from the function. At the end the value is passed to the function ldap_pvt_csnstr() so the contextCSN is wrongly generated (with minus sign).

There is missing 'LL' qualifier, code should looks like this:

count.QuadPart += (10LL * BILLION);

I also suggest to change the type of _ldap_pvt_gt_offset variable from int to long long.

In attachment you will find fix proposal as there are more places in the function where changes are required.