AW: Bug in ldapdb_plugin - No check if memory is exhausted in ldapdb_canon_client

Alexey Melnikov alexey.melnikov at isode.com
Thu Jun 10 07:06:59 EDT 2010


Lars Duesing wrote:

>Alexey,
>
>Your patch is a little bit overcautious. You could test just in front of the
>line
>    memcpy(out, user, ulen);
>
>In the lines before that ulen gets decremented.
>  
>
Ok.

>Lars
>
>-----Ursprüngliche Nachricht-----
>Von: Alexey Melnikov [mailto:alexey.melnikov at isode.com] 
>Gesendet: Donnerstag, 10. Juni 2010 12:46
>An: Howard Chu
>Cc: Lars Duesing; cyrus-sasl at lists.andrew.cmu.edu
>Betreff: Re: Bug in ldapdb_plugin - No check if memory is exhausted in
>ldapdb_canon_client
>
>Howard Chu wrote:
>
>  
>
>>Lars Duesing wrote:
>>
>>    
>>
>>>Hi List,
>>>
>>>I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
>>>
>>>While reading through the code there is one problem coming to my mind:
>>>
>>>In ldapdb_canon_client there is NO check whether ulen is greater than 
>>>out_umax – maybe it is only a minor issue because the string user is 
>>>only truncated, but I didn’t have a look if there could be any 
>>>situation where the size of the string user could be greater than 
>>>out_umax.
>>>      
>>>
>>Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
>>
>>    
>>
>>>Patch would be:
>>>
>>>      
>>>
>>>>if (ulen>out_umax) return SASL_NOMEM;
>>>>        
>>>>
>>Should use SASL_BUFOVER actually. 
>>    
>>
>
>Agreed.
>Committed.
>
>  
>
>>>Just in front of the memcpy.
>>>
>>>Lars
>>>      
>>>
>>
>  
>


-- 
IETF Application Area Director, <http://www.ietf.org/iesg/members.html>
Internet Messaging Team Lead, <http://www.isode.com>
JID: same as my email address



More information about the Cyrus-sasl mailing list