ITS#6303

diff --git a/CHANGES b/CHANGES
index 41e936e9a78decf4c0ea7f2e065c6e288f1253f3..9e775201257dbc81475d30deecae759f76f24425 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.19 Engineering
        Fixed slapd tools to allow -n for conversion (ITS#6258)
+       Fixed slapd-ldif buffer overflow (ITS#6303)
        Fixed slapo-dynlist lock leak (ITS#6308)
        Fixed slapo-pcache cache corruption (ITS#6242)
        Fixed slapo-sssvlv sort control dereferencing (ITS#6288)

diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c
index 4625af8c8d71a0d554076661401e02a3ebe1cbd9..4af7ad470a7a5ba6b9965e036a8e92959fae2b30 100644 (file)
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@@ -593,9 +593,9 @@ typedef struct bvlist {
        char *trunc;    /* filename was truncated here */
        int  inum;              /* num from "attr={num}" in filename, or INT_MIN */
        char savech;    /* original char at *trunc */
-       char fname;             /* variable length array BVL_NAME(bvl) = &fname */
-#      define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
-#      define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+       /* BVL_NAME(&bvlist) is the filename, allocated after the struct: */
+#      define BVL_NAME(bvl)     ((char *) ((bvl) + 1))
+#      define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen) + 1)
 } bvlist;
 
 static int