h.b.furuseth@usit.uio.no wrote:

Full_Name: Hallvard B Furuseth Version: HEAD, RE24 OS: URL: Submission from: (NULL) (129.240.6.233) Submitted by: hallvard

syncrepl accepts rid values in range [0, SLAP_SYNC_SID_MAX(4095)], but proceeds to assume the rid is in range [0, SLAP_SYNC_RID_MAX (999)]. This can produce buffer overruns for such rids.

slapd.conf(5) says max rid = 4095, since ITS#5108.

Possible fixes: either to revert to a limit of 999, or expand to 4 digits to support the documented behavior, or to make them hex to keep the documented limit but still max 3 digits.

I've opted to revert to 999. The previous behavior was completely broken anyway; aside from the syncrepl config parser all of the rest of the infrastructure was still treating rids as 3 decimal digits: the config unparser, slapd-config(5), slap_compose_sync_cookie, slap_parse_sync_cookie, etc. etc... All of these would have had to change to hex to make the 4095 limit work, and they weren't. Also, for backward compatibility with 2.3, they can't.