(ITS#7995) of-by-one error in schema - openldap-bugs

9 Dec 2014


      Full_Name: Leonid Yuriev
Version: 2.4.40
OS: RHEL7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (31.130.36.33)
In some cases (presumably when a database contains more attributes than defined
in the scheme) a heap error may be detected at stop of slapd.
Below is the result of attempts to find a bug(s) with Valgrind.
It is enough to corrupt a malloc's heap!
==29701== Invalid write of size 1
==29701== at 0x4A089AF: strcpy (vg_replace_strmem.c:458)
==29701== by 0x45ECC6: slap_bv2undef_ad (ad.c:772)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==29701== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29701== by 0x406C55: main (main.c:988)
==29701== Address 0x57d9187 is 0 bytes after a block of size 71 alloc'd
==29701== at 0x4A0720A: malloc (vg_replace_malloc.c:296)
==29701== by 0x549A18: ber_memalloc_x (memory.c:228)
==29701== by 0x43901A: ch_malloc (ch_malloc.c:54)
=979701== by 0x45EC93: slap_bv2undef_ad (ad.c:764)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==29701== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29701== by 0x406C55: main (main.c:988)
==29701==
==29701== Invalid read of size 1
==29701== at 0x53BE9F: ldap_pvt_str2upper (string.c:116)
==29701== by 0x45ECCF: slap_bv2undef_ad (ad.c:775)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==291%1== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29701== by 0x406C55: main (main.c:988)
==29701== Address 0x57d9187 is 0 bytes after a block of size 71 alloc'd
==29701== at 0x4A0720A: malloc (vg_replace_malloc.c:296)
==29701== by 0x549A18: ber_memalloc_x (memory.c:228)
==29701== by 0x43901A: ch_malloc (ch_malloc.c:54)
==29701== by 0x45EC93: slap_bv2undef_ad (ad.c:764)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==29701== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29703D%3= by 0x406C55: main (main.c:988)
==29701== Invalid read of size 1
==29701== at 0x30E184812C: vfprintf (in /lib64/libc-2.12.so)
==29701== by 0x30E186FA51: vsnprintf (in /lib64/libc-2.12.so)
==29701== by 0x5498DA: lutil_debug (debug.c:67)
==29701== by 0x45ED34: slap_bv2undef_a(a8ad.c:785)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==29701== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29701== by 0x406C55: main (main.c:988)
==29701== Address 0x57d9187 is 0 bytes after a block of size 71 alloc'd
==29701== at 0x4A0720A: malloc (vg_replace_malloc.c:296)
==29701== by 0x549A18: ber_memalloc_x (memory.c:228)
==29701== by 0x43901A: ch_malloc (ch_malloc.c:54)
==29701== by 0x45EC93: slap_bv2undef_ad (ad.c:764)
==29701== by 0x4C3649: mdb_ad_read (attr.c:575)
==29701== by 0x4949D7: mdb_db_open (init.c:278)
==29701== by 0x482D86: over_db_open (backover.c:149)
==29701== by 0x42DA58: backend_startup_one (backend.c:224)
==29701== by 0x42DD22: backend_startup (backend.c:325)
==29701== by 0x44ABB0: slap_startup (init.c:219)
==29701== by 0x406C55: main (main.c:988)