[Fedora-directory-devel] Please review: [Bug 472457] Specially crafted Server Side Sort crashes directory server or makes it unresponsive
Noriko Hosoi
nhosoi at redhat.com
Mon Nov 24 17:22:52 UTC 2008
Summary: Specially crafted Server Side Sort crashes directory server or
makes it unresponsive
https://bugzilla.redhat.com/show_bug.cgi?id=472457
[Problem Description]
A test case posted by Andrey Ivanov could cause the directory server
crash. A function to log the server side sorting sort_log_access had a
bug to count the string size to be stored in the buffer. The code meant
if the string length is less than or equal to the static buffer size, it
uses the buffer. If it is longer, it allocates the enough size of space
and use it. This is the sample of the string to log:
SORT -sn;2.16.840.1.113730.3.3.2.18.1.6
-givenName;2.16.840.1.113730.3.3.2.18.1.6 (1944)
The last "(1944)" is a count of candidates. The length was missing in
the calculation for the string size.
[Proposed patch]
Created an attachment (id=324508) [details]
cvs diff ldap/servers/slapd/back-ldbm/sort.c
The cause of the problem was a buffer overflow.
The length of the 2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6
-givenName;2.16.840.1.113730.3.3.2.18.1.6 " is just about the prepared buffer
size, which is unfortunate since there is no space for the candidate size,
e.g., "(1944)" being added later. By adding the "(1944)" to the static buffer,
it caused buffer overflow and crashed your server.
The code to check the length of the candidate size before calculating the buffer size is added.
Thanks,
--noriko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20081124/282d2546/attachment.bin>
More information about the Fedora-directory-devel
mailing list