From: Howard Chu Date: Thu, 24 Apr 2003 02:10:18 +0000 (+0000) Subject: ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len) X-Git-Tag: OPENLDAP_REL_ENG_2_2_0ALPHA~260 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=bcf7ab26e47e2b297cb3f0ded93b677a29bfb4e3;p=openldap ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len) which should be at most 8 bytes. However if we read more than the minimum message length, we have a problem because we steal bytes from any following message, and there is no buffer mechanism to push back excess data. The shortest legitimate message is Unbind at 7 bytes, but there shouldn't be anything following it. Abandon at 8 bytes is next, so always requesting at least 8 bytes should be safe. Always requesting 9 was a problem. Please double-check these assumptions... --- diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c index 064d80e0ee..c618d0b286 100644 --- a/libraries/liblber/io.c +++ b/libraries/liblber/io.c @@ -510,13 +510,13 @@ ber_get_next( } while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr < - (char *)&ber->ber_len + LENSIZE*2) { + (char *)&ber->ber_len + LENSIZE*2 -1) { ber_slen_t sblen; char buf[sizeof(ber->ber_len)-1]; ber_len_t tlen = 0; sblen=ber_int_sb_read( sb, ber->ber_rwptr, - ((char *)&ber->ber_len + LENSIZE*2)-ber->ber_rwptr); + ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr); if (sblen<=0) return LBER_DEFAULT; ber->ber_rwptr += sblen;