New subject: [Issue 10340] Potential Buffer Overflow in mdb_rebalance

27 May 2025


      https://bugs.openldap.org/show_bug.cgi?id=10340
Issue ID: 10340
           Summary: Potential Buffer Overflow in mdb_rebalance
           Product: OpenLDAP
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: libraries
          Assignee: bugs@openldap.org
          Reporter: alexguo1023@gmail.com
  Target Milestone: ---
Created attachment 1067
  --> https://bugs.openldap.org/attachment.cgi?id=1067&action=edit
Add an early return when `mc->mc_top == 0`
In `mdb_rebalance`, we do:
```c
int ptop = mc->mc_top - 1;
node = mc->mc_pg[ptop];
```
However, `mc->mc_top` defaults to 0 in many contexts, so `ptop` can become
`-1`. Indexing `mc->mc_pg[-1]` causes invalid memory access. Elsewhere this is
handled by checking `mc->mc_top > 0` before decrementing.
To fix this, we add an early return when `mc->mc_top == 0`. A root page (or one
without a parent) doesn’t need rebalancing, so this guard prevents `ptop` from
ever being negative and eliminates the out-of-bounds access.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 10340] New: Potential Buffer Overflow in mdb_rebalance