AW: Bug in ldapdb_plugin - No check if memory is exhausted in ldapdb_canon_client
Alexey Melnikov
alexey.melnikov at isode.com
Thu Jun 10 07:06:59 EDT 2010
Lars Duesing wrote:
>Alexey,
>
>Your patch is a little bit overcautious. You could test just in front of the
>line
> memcpy(out, user, ulen);
>
>In the lines before that ulen gets decremented.
>
>
Ok.
>Lars
>
>-----Ursprüngliche Nachricht-----
>Von: Alexey Melnikov [mailto:alexey.melnikov at isode.com]
>Gesendet: Donnerstag, 10. Juni 2010 12:46
>An: Howard Chu
>Cc: Lars Duesing; cyrus-sasl at lists.andrew.cmu.edu
>Betreff: Re: Bug in ldapdb_plugin - No check if memory is exhausted in
>ldapdb_canon_client
>
>Howard Chu wrote:
>
>
>
>>Lars Duesing wrote:
>>
>>
>>
>>>Hi List,
>>>
>>>I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
>>>
>>>While reading through the code there is one problem coming to my mind:
>>>
>>>In ldapdb_canon_client there is NO check whether ulen is greater than
>>>out_umax – maybe it is only a minor issue because the string user is
>>>only truncated, but I didn’t have a look if there could be any
>>>situation where the size of the string user could be greater than
>>>out_umax.
>>>
>>>
>>Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
>>
>>
>>
>>>Patch would be:
>>>
>>>
>>>
>>>>if (ulen>out_umax) return SASL_NOMEM;
>>>>
>>>>
>>Should use SASL_BUFOVER actually.
>>
>>
>
>Agreed.
>Committed.
>
>
>
>>>Just in front of the memcpy.
>>>
>>>Lars
>>>
>>>
>>
>
>
--
IETF Application Area Director, <http://www.ietf.org/iesg/members.html>
Internet Messaging Team Lead, <http://www.isode.com>
JID: same as my email address
More information about the Cyrus-sasl
mailing list