(ITS#5558) Buffer Overflow in back_sock and back_shell - openldap-bugs

13 Jun 2008

Full_Name: Stef Walter
Version: openldap 2.4.10
OS: FreeBSD 6.3-RELEASE-p2
URL: http://memberwebs.com/stef/scraps/openldap24-buffer-overflow.patch
Submission from: (NULL) (189.162.38.105)
The back_sock and back_shell backends have a buffer overflow (off by one)
problem in their result parsing code in read_and_send_results() lines 82-89 in
result.c. The buffer is reallocated when an additional string would be too long
for the buffer, but the string's null terminator is not taken into account.
This can cause a crash in certain situations. These situations are obviously
data and OS dependent. But with specific data, the crash is reproducible.
Patch which fixes the problem:

--- ../openldap-2.4.10/servers/slapd/back-sock/result.c	2008-02-08
18:46:09.000000000 -0000
+++ servers/slapd/back-sock/result.c	2008-06-13 15:56:46.000000000 -0000
@@ -77,7 +77,7 @@
    	}
len = strlen( line );
-		while ( bp + len - buf > bsize ) {
+		while ( bp + (len + 1) - buf > bsize ) {
    		size_t offset = bp - buf;
    		bsize += BUFSIZ;
    		buf = (char *) ch_realloc( buf, bsize );
--- ../openldap-2.4.10/servers/slapd/back-shell/result.c	2008-02-11
17:26:47.000000000 -0000
+++ servers/slapd/back-shell/result.c	2008-06-13 15:57:02.000000000 -0000
@@ -80,7 +80,7 @@
    	}
len = strlen( line );
-		while ( bp + len - buf > bsize ) {
+		while ( bp + (len + 1) - buf > bsize ) {
    		size_t offset = bp - buf;
    		bsize += BUFSIZ;
    		buf = (char *) ch_realloc( buf, bsize );

    