https://bugzilla.redhat.com/show_bug.cgi?id=472457 [Problem Description]A test case posted by Andrey Ivanov could cause the directory server crash. A function to log the server side sorting sort_log_access had a bug to count the string size to be stored in the buffer. The code meant if the string length is less than or equal to the static buffer size, it uses the buffer. If it is longer, it allocates the enough size of space and use it. This is the sample of the string to log: SORT -sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3.3.2.18.1.6 (1944) The last "(1944)" is a count of candidates. The length was missing in the calculation for the string size.
[Proposed patch] Created an attachment (id=324508) [details] cvs diff ldap/servers/slapd/back-ldbm/sort.cThe cause of the problem was a buffer overflow. The length of the 2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6
-givenName;2.16.840.1.113730.3.3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since there is no space for the candidate size, e.g., "(1944)" being added later. By adding the "(1944)" to the static buffer, it caused buffer overflow and crashed your server. The code to check the length of the candidate size before calculating the buffer size is added. Thanks, --noriko
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
