https://bugs.openldap.org/show_bug.cgi?id=10340
Issue ID: 10340 Summary: Potential Buffer Overflow in mdb_rebalance Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: alexguo1023@gmail.com Target Milestone: ---
Created attachment 1067 --> https://bugs.openldap.org/attachment.cgi?id=1067&action=edit Add an early return when `mc->mc_top == 0`
In `mdb_rebalance`, we do:
```c int ptop = mc->mc_top - 1; node = mc->mc_pg[ptop]; ```
However, `mc->mc_top` defaults to 0 in many contexts, so `ptop` can become `-1`. Indexing `mc->mc_pg[-1]` causes invalid memory access. Elsewhere this is handled by checking `mc->mc_top > 0` before decrementing.
To fix this, we add an early return when `mc->mc_top == 0`. A root page (or one without a parent) doesn’t need rebalancing, so this guard prevents `ptop` from ever being negative and eliminates the out-of-bounds access.
https://bugs.openldap.org/show_bug.cgi?id=10340
--- Comment #1 from Alex Guo alexguo1023@gmail.com --- Additionally, later in `mdb_rebalance`, the code calls:
```c rc = mdb_page_merge(&mn, mc); … rc = mdb_page_merge(mc, &mn); ```
Inside `mdb_page_merge`, `mc_top` is similarly decremented and then used to index `mc_pg` without any preceding check. This same underflow risk exists there and should be guarded with this patch.
-
openldap-its@openldap.org