Bug in ldapdb_plugin - No check if memory is exhausted in ldapdb_canon_client

Howard Chu hyc at highlandsun.com
Fri May 14 10:06:20 EDT 2010


Lars Duesing wrote:
> Hi List,
>
> I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
>
> While reading through the code there is one problem coming to my mind:
>
> In ldapdb_canon_client there is NO check whether ulen is greater than out_umax
> – maybe it is only a minor issue because the string user is only truncated,
> but I didn’t have a look if there could be any situation where the size of the
> string user could be greater than out_umax.

Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
>
> Patch would be:
>
>>if (ulen>out_umax) return SASL_NOMEM;

Should use SASL_BUFOVER actually.
>
> Just in front of the memcpy.
>
> Lars
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list