We use ber_flatten2 in an unusual way, but I think this issue is generic

 

int ber_flatten2(

            BerElement *ber,

            struct berval *bv,

            int alloc )

{

…

 

/* copy the berval */

ber_len_t len = ber_pvt_ber_write( ber );

 

if ( alloc ) {

            bv->bv_val = (char *) ber_memalloc_x( len + 1, ber->ber_memctx );

            if ( bv->bv_val == NULL ) {

                        return -1;

            }

            AC_MEMCPY( bv->bv_val, ber->ber_buf, len );

} else {

            bv->bv_val = ber->ber_buf;

}

bv->bv_val[len] = '\0'; <- ????

bv->bv_len = len;

 

The problem I have is a crash, because of the bv->bv_val[len] = ‘\0’ when alloc is set to zero, AND the buffer that was passed in was generated by ber_realloc, which did not leave an extra byte at the end, resulting in a write beyond the allocated memory block.

 

The questions I have are:

1)     Is the zero terminator really necessary?

2)     If so, seems like it should only be don if we actually allocated a new buffer (which does leave one byte at the end).

 

 

Thanks

 

Dave Daugherty

Centrify Corp.

 

BTW I this is my first post here, so let me know