AW: Bug in ldapdb_plugin - No check if memory is exhausted in ldapdb_canon_client

Lars Duesing lars.duesing at camelotsweb.de
Thu Jun 10 06:59:58 EDT 2010


Alexey,

Your patch is a little bit overcautious. You could test just in front of the
line
    memcpy(out, user, ulen);

In the lines before that ulen gets decremented.

Lars

-----Ursprüngliche Nachricht-----
Von: Alexey Melnikov [mailto:alexey.melnikov at isode.com] 
Gesendet: Donnerstag, 10. Juni 2010 12:46
An: Howard Chu
Cc: Lars Duesing; cyrus-sasl at lists.andrew.cmu.edu
Betreff: Re: Bug in ldapdb_plugin - No check if memory is exhausted in
ldapdb_canon_client

Howard Chu wrote:

> Lars Duesing wrote:
>
>> Hi List,
>>
>> I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
>>
>> While reading through the code there is one problem coming to my mind:
>>
>> In ldapdb_canon_client there is NO check whether ulen is greater than 
>> out_umax – maybe it is only a minor issue because the string user is 
>> only truncated, but I didn’t have a look if there could be any 
>> situation where the size of the string user could be greater than 
>> out_umax.
>
> Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
>
>> Patch would be:
>>
>>> if (ulen>out_umax) return SASL_NOMEM;
>>
> Should use SASL_BUFOVER actually. 

Agreed.
Committed.

>
>> Just in front of the memcpy.
>>
>> Lars
>


More information about the Cyrus-sasl mailing list