https://bugs.openldap.org/show_bug.cgi?id=9583
Issue ID: 9583 Summary: possible memory corruption in avl_buildlist Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: grapvar@gmail.com Target Milestone: ---
In the excerpt below: if avl_maxlist is large enough then address
(NULL + avl_maxlist * sizeof(pointer))
may be mapped into the address space. If ber_memrealloc fails, avl_list[avl_maxlist]=… will corrupt program state before it eventually crash.
libraries/libldap/avl.c:
static int slots; static int avl_buildlist( void* data, … ) { if ( avl_list == 0 ) { slots = 100; avl_list = ber_memalloc(100 * sizeof(void*)); … } else if ( avl_maxlist == slots ) { slots += 100; avl_list = ber_memrealloc( avl_list, slots * sizeof(void*)); … } avl_list[ avl_maxlist++ ] = data;
Be advised please that this issue has been reported by accidental visitor, from a developer point of view, not a user point of view, so I won't define, provide or construct any “valid use case”.
https://bugs.openldap.org/show_bug.cgi?id=9583
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |WONTFIX
--- Comment #1 from Howard Chu hyc@openldap.org --- Nothing uses these functions.
https://bugs.openldap.org/show_bug.cgi?id=9583
--- Comment #2 from Michael Ströder michael@stroeder.com --- (In reply to Howard Chu from comment #1)
Nothing uses these functions.
If nothing uses this code then it should be removed, shouldn't it?
At least the security guide-lines I know which are used in audits mandate to remove *all* dead code.
https://bugs.openldap.org/show_bug.cgi?id=9583
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Michael Ströder from comment #2)
If nothing uses this code then it should be removed, shouldn't it?
At least the security guide-lines I know which are used in audits mandate to remove *all* dead code.
General OpenLDAP policy appears to be to never delete code, no matter how dead it is.
https://bugs.openldap.org/show_bug.cgi?id=9583
--- Comment #4 from Konstantin Andreev grapvar@gmail.com --- (In reply to Quanah Gibson-Mount from comment #3)
General OpenLDAP policy appears to be to never delete code, no matter how dead it is.
Could you, please, let us know the reason behind?
Does it also mean that a patch eliminating dead code will be declined?
-
openldap-its@openldap.org