https://bugs.openldap.org/show_bug.cgi?id=9741
Issue ID: 9741 Summary: Meaningless out-of-bound read in ldif-filter.c Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: matthias.st.pierre@ncp-e.com Target Milestone: ---
I just stumbled over the following compiler warning in ldif-filter.c (see [1]):
14:10:41 ldif-filter.c:209:16: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] 14:10:41 sep = "\r\n" + 2 - line_len; /* sep = copy(line) */ 14:10:41 ~~~~~~~^~~ 14:10:41 ldif-filter.c:209:16: note: use array indexing to silence this warning 14:10:41 sep = "\r\n" + 2 - line_len; /* sep = copy(line) */ 14:10:41 ^ 14:10:41 & [ ]
While the expression is valid pointer arithmetic, it does not make sense to me, because it calculates some (possibly negative) offset to the literal string "\r\n" in memory, not the address of the beginning of some line, as the comment `sep = copy(line)` suggests. (Originally added in commit [2]).
[1] https://git.openldap.org/openldap/openldap/-/blob/master/tests/progs/ldif-fi... [2] https://git.openldap.org/openldap/openldap/-/commit/725743abdb
https://bugs.openldap.org/show_bug.cgi?id=9741
matthias.st.pierre@ncp-e.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.st.pierre@ncp-e.co | |m
--- Comment #1 from matthias.st.pierre@ncp-e.com --- The potential out-of-bound read occurs in line 171 inside the loop:
https://git.openldap.org/openldap/openldap/-/blob/master/tests/progs/ldif-fi...
https://bugs.openldap.org/show_bug.cgi?id=9741
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #2 from Howard Chu hyc@openldap.org --- (In reply to matthias.st.pierre from comment #1)
The potential out-of-bound read occurs in line 171 inside the loop:
https://git.openldap.org/openldap/openldap/-/blob/master/tests/progs/ldif- filter.c#L171
There is no out of bounds read, there is no bug here. The check at line 188 ensures that line_len will only be 0, 1, or 2 when it reaches 209.
https://bugs.openldap.org/show_bug.cgi?id=9741
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9741
--- Comment #3 from matthias.st.pierre@ncp-e.com --- Ok, thank you for the clarification!
-
openldap-its@openldap.org