Lars Duesing wrote:
Alexey,
Your patch is a little bit overcautious. You could test just in front of the
line
memcpy(out, user, ulen);
In the lines before that ulen gets decremented.
Ok.
Lars
-----Ursprüngliche Nachricht-----
Von: Alexey Melnikov [mailto:alexey.melni...@isode.com]
Gesendet: Donnerstag, 10. Juni 2010 12:46
An: Howard Chu
Cc: Lars Duesing; cyrus-sasl@lists.andrew.cmu.edu
Betreff: Re: Bug in ldapdb_plugin - No check if memory is exhausted in
ldapdb_canon_client
Howard Chu wrote:
Lars Duesing wrote:
Hi List,
I used the ldapdb_plugin as a template for my sql_plugin-enhancements.
While reading through the code there is one problem coming to my mind:
In ldapdb_canon_client there is NO check whether ulen is greater than
out_umax – maybe it is only a minor issue because the string user is
only truncated, but I didn’t have a look if there could be any
situation where the size of the string user could be greater than
out_umax.
Yeah, didn't seem to be a likely case. Still probably ought to be fixed.
Patch would be:
if (ulen>out_umax) return SASL_NOMEM;
Should use SASL_BUFOVER actually.
Agreed.
Committed.
Just in front of the memcpy.
Lars
--
IETF Application Area Director, <http://www.ietf.org/iesg/members.html>
Internet Messaging Team Lead, <http://www.isode.com>
JID: same as my email address
