[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6080) Page Fault in ber_strndup_x

To: openldap-its@OpenLDAP.org
Subject: (ITS#6080) Page Fault in ber_strndup_x
From: roger.smith@bluecoat.com
Date: Tue, 28 Apr 2009 19:43:39 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Roger Smith
Version: 2.4.16
OS: Any
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.46.48.194)


The function ldap_bv2dn_x is supposed to handle a buffer that is not NULL
terminated, as are the functions ldap_bv2rdn_x, str2strval, and ber_strndup_x
(through macro LDAP_STRNDUPX)which are in it's codepath.  However, in
ber_strndup_x (liblber/memory.c) a call is made to strlen which expects a NULL
terminated string.  At a minimum, this will waste CPU cycles as strlen can
continue far past the end of the buffer until it finds a NULL.  In the worst
case, this sometimes causes a page fault when strlen continues off into
protected memory.

This code should be changed to use strnlen, or a locally defined equivilent.
e.g.
669,673c669
<       len = strlen( s );
<
<       if ( len > l ) {
<               len = l;
<       }
---
>       len = strnlen( s, l );

Prev by Date: Re: (ITS#6040) SEGV - hdb_cache_lru_purge / bdb_cache_delete_internal / ldap_pvt_thread_mutex_lock
Next by Date: Re: (ITS#6040) SEGV - hdb_cache_lru_purge / bdb_cache_delete_internal / ldap_pvt_thread_mutex_lock
Index(es):
- Chronological
- Thread