From 128a8ebbca21dcb5c7e14841f38e98e9635b7bef Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 29 Sep 2009 23:05:15 +0000
Subject: [PATCH] ITS#6303

---
 CHANGES                        | 1 +
 servers/slapd/back-ldif/ldif.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 41e936e9a7..9e77520125 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.19 Engineering
 	Fixed slapd tools to allow -n for conversion (ITS#6258)
+	Fixed slapd-ldif buffer overflow (ITS#6303)
 	Fixed slapo-dynlist lock leak (ITS#6308)
 	Fixed slapo-pcache cache corruption (ITS#6242)
 	Fixed slapo-sssvlv sort control dereferencing (ITS#6288)
diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c
index 4625af8c8d..4af7ad470a 100644
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@@ -593,9 +593,9 @@ typedef struct bvlist {
 	char *trunc;	/* filename was truncated here */
 	int  inum;		/* num from "attr={num}" in filename, or INT_MIN */
 	char savech;	/* original char at *trunc */
-	char fname;		/* variable length array BVL_NAME(bvl) = &fname */
-#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
-#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+	/* BVL_NAME(&bvlist) is the filename, allocated after the struct: */
+#	define BVL_NAME(bvl)     ((char *) ((bvl) + 1))
+#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen) + 1)
 } bvlist;
 
 static int
-- 
2.39.5