We use ber_flatten2 in an unusual way, but I think this issue is generic
int ber_flatten2(
BerElement *ber,
struct berval *bv,
int alloc )
{
...
/* copy the berval */
ber_len_t len = ber_pvt_ber_write( ber );
if ( alloc ) {
bv->bv_val = (char *) ber_memalloc_x( len + 1, ber->ber_memctx );
if ( bv->bv_val == NULL ) {
return -1;
}
AC_MEMCPY( bv->bv_val, ber->ber_buf, len );
} else {
bv->bv_val = ber->ber_buf;
}
bv->bv_val[len] = '\0'; <- ????
bv->bv_len = len;
The problem I have is a crash, because of the bv->bv_val[len] = '\0' when alloc is set to zero, AND the buffer that was passed in was generated by ber_realloc, which did not leave an extra byte at the end, resulting in a write beyond the allocated memory block.
The questions I have are:
1) Is the zero terminator really necessary?
2) If so, seems like it should only be don if we actually allocated a new buffer (which does leave one byte at the end).
Thanks
Dave Daugherty
Centrify Corp.
BTW I this is my first post here, so let me know
--On Tuesday, November 10, 2009 10:21 AM -0800 Dave Daugherty dave.daugherty@centrify.com wrote:
Dave Daugherty
Hi Dave,
Thanks for the detailed report, this is a definite bug. Can you please file an ITS at http://www.openldap.org/its and include the same technical details as in this email?
Thanks!
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Done - #6371
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, November 10, 2009 2:44 PM Hi Dave,
Thanks for the detailed report, this is a definite bug. Can you please file an ITS at http://www.openldap.org/its and include the same technical details as in this email?
Thanks!
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Dave Daugherty -
Quanah Gibson-Mount