From: Kurt Zeilenga Date: Wed, 15 Mar 2000 19:47:22 +0000 (+0000) Subject: ITS#479 fix: ber_put_seqorset() writes a few bytes beyond an allocated buffer X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~3145 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c2050e04d312a76c58966443f70f48101e92ac8b;p=openldap ITS#479 fix: ber_put_seqorset() writes a few bytes beyond an allocated buffer Commit based upon patch and comments provided by Alan Clark . > Kudos to Dave Steck for the find and fix --- diff --git a/libraries/liblber/encode.c b/libraries/liblber/encode.c index 0b7fb7494e..512ab90603 100644 --- a/libraries/liblber/encode.c +++ b/libraries/liblber/encode.c @@ -581,6 +581,21 @@ ber_put_seqorset( BerElement *ber ) unsigned char nettag[sizeof(ber_tag_t)]; ber_tag_t tmptag = (*sos)->sos_tag; + if( ber->ber_sos->sos_ptr > ber->ber_end ) { + /* The sos_ptr exceeds the end of the BerElement + * this can happen, for example, when the sos_ptr + * is near the end and no data was written for the + * 'V'. We must realloc the BerElement to ensure + * we don't overwrite the buffer when writing + * the tag and length fields. + */ + ber_len_t ext = ber->ber_sos->sos_ptr - ber->ber_end; + + if( ber_realloc( ber, ext ) != 0 ) { + return -1; + } + } + /* the tag */ taglen = ber_calc_taglen( tmptag ); diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c index 96b02ad861..e153cc997c 100644 --- a/libraries/liblber/io.c +++ b/libraries/liblber/io.c @@ -39,10 +39,6 @@ static ber_slen_t BerRead LDAP_P(( char *buf, ber_len_t len )); -static int ber_realloc LDAP_P(( - BerElement *ber, - ber_len_t len )); - #define EXBUFSIZ 1024 /* probably far too large... */ @@ -137,7 +133,7 @@ ber_write( } } -static int +int ber_realloc( BerElement *ber, ber_len_t len ) { ber_len_t need, have, total; diff --git a/libraries/liblber/lber-int.h b/libraries/liblber/lber-int.h index cbfe658f5e..15556d9583 100644 --- a/libraries/liblber/lber-int.h +++ b/libraries/liblber/lber-int.h @@ -175,6 +175,13 @@ struct seqorset { }; +/* + * io.c + */ +int ber_realloc LDAP_P(( + BerElement *ber, + ber_len_t len )); + /* * bprint.c */