https://bugs.openldap.org/show_bug.cgi?id=10357
Issue ID: 10357 Summary: Potential buffer underflow in function config_find_base Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: alexguo1023@gmail.com Target Milestone: ---
In function `config_find_base`, we have the code: ```c char *c = dn->bv_val+dn->bv_len; for (;*c != ',';c--); ```
In the loop, if the string doesn't contain any commas, `c` will decrement below `dn->bv_val`, causing buffer underflow when `*c` is accessed.
https://bugs.openldap.org/show_bug.cgi?id=10357
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Hi Alex, config_find_base is only used in back_config operation where the entry is known to reside in the cn=config subtree. As the only case when such a DN might include no commas (the DN of cn=config itself) is handled on the line before, we are guaranteed that there is at least one.
https://bugs.openldap.org/show_bug.cgi?id=10357
Alex Guo alexguo1023@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |--- Status|RESOLVED |UNCONFIRMED
--- Comment #2 from Alex Guo alexguo1023@gmail.com --- Thanks for your explanation!
https://bugs.openldap.org/show_bug.cgi?id=10357
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
https://bugs.openldap.org/show_bug.cgi?id=10357
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org