ITS#479 fix: ber_put_seqorset() writes a few bytes beyond an allocated buffer

author Kurt Zeilenga <kurt@openldap.org>

Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)

committer Kurt Zeilenga <kurt@openldap.org>

Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)
author Kurt Zeilenga <kurt@openldap.org>
Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)
committer Kurt Zeilenga <kurt@openldap.org>
Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)
diff --git a/libraries/liblber/encode.c b/libraries/liblber/encode.c

index 0b7fb7494e0244d93212345ecc1778b914c12d81..512ab906033ecf5091922afdb561549a533160b1 100644 (file)
--- a/libraries/liblber/encode.c
+++ b/libraries/liblber/encode.c
@@ -581,6 +581,21 @@ ber_put_seqorset( BerElement *ber )
                 unsigned char nettag[sizeof(ber_tag_t)];
                 ber_tag_t tmptag = (*sos)->sos_tag;
  
+               if( ber->ber_sos->sos_ptr > ber->ber_end ) {
+                       /* The sos_ptr exceeds the end of the BerElement
+                        * this can happen, for example, when the sos_ptr
+                        * is near the end and no data was written for the
+                        * 'V'.  We must realloc the BerElement to ensure
+                        * we don't overwrite the buffer when writing
+                        * the tag and length fields.
+                        */
+                       ber_len_t ext = ber->ber_sos->sos_ptr - ber->ber_end;
+
+                       if( ber_realloc( ber,  ext ) != 0 ) {
+                               return -1;
+                       }
+               }
+
                 /* the tag */
                 taglen = ber_calc_taglen( tmptag );
  
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c

index 96b02ad861e61eada4229ec1a724833b0e95cc16..e153cc997cb334d29aec08dcf39ed398579d5e36 100644 (file)
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -39,10 +39,6 @@ static ber_slen_t BerRead LDAP_P((
         char *buf,
         ber_len_t len ));
  
-static int ber_realloc LDAP_P((
-       BerElement *ber,
-       ber_len_t len ));
-
  #define EXBUFSIZ       1024
  
  /* probably far too large... */
@@ -137,7 +133,7 @@ ber_write(
         }
  }
  
-static int
+int
  ber_realloc( BerElement *ber, ber_len_t len )
  {
         ber_len_t       need, have, total;
diff --git a/libraries/liblber/lber-int.h b/libraries/liblber/lber-int.h

index cbfe658f5e268e4f2255c9da124bbb8557c0b89b..15556d95830a28e39098f0fcd1b71bc6ad0382a1 100644 (file)
--- a/libraries/liblber/lber-int.h
+++ b/libraries/liblber/lber-int.h
@@ -175,6 +175,13 @@ struct seqorset {
  };
  
  
+/*
+ * io.c
+ */
+int ber_realloc LDAP_P((
+       BerElement *ber,
+       ber_len_t len ));
+
  /*
   * bprint.c
   */
author	Kurt Zeilenga <kurt@openldap.org>
	Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)
committer	Kurt Zeilenga <kurt@openldap.org>
	Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)
libraries/liblber/encode.c		patch \| blob \| history
libraries/liblber/io.c		patch \| blob \| history
libraries/liblber/lber-int.h		patch \| blob \| history