ldap/servers/plugins/cos/cos_cache.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
New commits:
commit d7c71db218f27cdbc2fcc39401a97b00e8d890a4
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Dec 17 15:00:18 2015 +1000
Ticket 48387 - ASAN invalid read in cos_cache.c
Bug Description: ==7050== ERROR: AddressSanitizer?: global-buffer-overflow on
address 0x7f643b32c5ff at pc 0x7f643b3217aa bp 0x7f64331c5f60 sp 0x7f64331c5f50
READ of size 1 at 0x7f643b32c5ff thread T5
#0 0x7f643b3217a9 in cos_cache_backwards_stricmp_and_clip
ds/ldap/servers/plugins/cos/cos_cache.c:3428
Issue exists in the array offset check, which allows the value to go to -1
causing the invalid read.
Fix Description: Fix the check to only allow the offset to go to 0, not -1
https://fedorahosted.org/389/ticket/48387
Author: wibrown
Review by: nhosoi (Thank you!)
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index db90ffa..cb5cb69 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -3413,14 +3413,18 @@ static int cos_cache_backwards_stricmp_and_clip(char*s1,char*s2)
int s1len = 0;
int s2len = 0;
- LDAPDebug( LDAP_DEBUG_TRACE, "-->
cos_cache_backwards_stricmp_and_clip\n",0,0,0);
-
s1len = strlen(s1);
s2len = strlen(s2);
+ LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_backwards_stricmp_and_clip s1 %d s2
%d\n",s1len,s2len,0);
+
if(s1len > s2len && s2len > 0)
{
- while(s1len > -1 && s2len > -1)
+ /* In some cases this can go below 0 causing invalid reads
+ * We make the check for > 0, because if we are at 1 -> 0 is next
+ * If the check is > -1, we can easily get to 0, then -1, creating invalid read.
+ */
+ while(s1len > 0 && s2len > 0)
{
s1len--;
s2len--;