[Date Prev][Date Next] [Chronological] [Thread] [Top]

Unprotected buffer in openldap-19981116



There is an unprotected buffer in servers/slapd/configinfo.c
(config_info) which might overflow during the following loop:

	for ( i = 0; i < nbackends; i++ ) {
		strcpy( buf, backends[i].be_type );
		for ( j = 0; backends[i].be_suffix[j] != NULL; j++ ) {
			strcat( buf, " : " );
			strcat( buf, backends[i].be_suffix[j] );
		}
		val.bv_val = buf;
		val.bv_len = strlen( buf );
		attr_merge( e, "database", vals );
	}

If there backends with many and loooong suffixes...you know this
*will* happen. Beside this, due to the strcats the runtime is O(n^2).

Regards

J.Pietschmann