[Date Prev][Date Next] [Chronological] [Thread] [Top]

servers/slapd/back-shell/result.c realloc bug (ITS#506)



Full_Name: Mei-Hui Su
Version: 1.2.(7,9,10) and dev tree
OS: solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.9.64.206)


>  We found a bug in servers/slapd/back-shell/result.c in 1.2.9 and
>also in 1.2.7 and the development tree. What happens is that when
>buf got 'reallocated', the bp (the buf place pointer) did not get
>moved. This will lead to memory corruption and seg faults. This is 
>the patch for it,

diff -u /nfs/globus2/MEI/nPROJ_CC/OpenLDAP/globus-one/OpenLDAP-1.2.7-globus/servers/slapd/back-shell/result.c
result.c
--- /nfs/globus2/MEI/nPROJ_CC/OpenLDAP/globus-one/OpenLDAP-1.2.7-globus/servers/slapd/back-shell/result.c
      Fri Apr 14 11:31:36 2000
+++ result.c    Mon Nov 16 15:24:31 1998
@@ -21,7 +21,7 @@
     int                attrsonly
 )
 {
-       int     bsize, len, offset;
+       int     bsize, len;
        char    *buf, *bp;
        char    line[BUFSIZ];
        Entry   *e;
@@ -43,9 +43,7 @@
                len = strlen( line );
                while ( bp + len - buf > bsize ) {
                        bsize += BUFSIZ;
-                       offset = (int) (bp - buf);
                        buf = (char *) ch_realloc( buf, bsize );
-                       bp = buf + offset;
                }
                strcpy( bp, line );

>  We have already double checke the other back-X directory in 
>1.2.7 and 1.2.9 and developement tree. back-ldbm's search.c got
>it correctly. But in the development tree's servers/slapd/back-tcl's
>tcl_modify.c(1) and tcl_util.c(2), there are similar problems.  
>
>mei
bp += len;