Bug in ldapdb_plugin - No check if memory is exhausted in ldapdb_canon_client
Alexey Melnikov
alexey.melnikov at isode.com
Thu Jun 10 06:45:45 EDT 2010
Howard Chu wrote:
> Lars Duesing wrote:
>
>> Hi List,
>>
>> I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
>>
>> While reading through the code there is one problem coming to my mind:
>>
>> In ldapdb_canon_client there is NO check whether ulen is greater than
>> out_umax
>> – maybe it is only a minor issue because the string user is only
>> truncated,
>> but I didn’t have a look if there could be any situation where the
>> size of the
>> string user could be greater than out_umax.
>
> Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
>
>> Patch would be:
>>
>>> if (ulen>out_umax) return SASL_NOMEM;
>>
> Should use SASL_BUFOVER actually.
Agreed.
Committed.
>
>> Just in front of the memcpy.
>>
>> Lars
>
More information about the Cyrus-sasl
mailing list