From 0fabdf51f8d32b6fc7f947a9526b780436f55428 Mon Sep 17 00:00:00 2001 From: William Brown Date: Thu, 17 Dec 2015 15:00:18 +1000 Subject: [PATCH] Ticket 48387 - ASAN invalid read in cos_cache.c Bug Description: ==7050== ERROR: AddressSanitizer?: global-buffer-overflow on address 0x7f643b32c5ff at pc 0x7f643b3217aa bp 0x7f64331c5f60 sp 0x7f64331c5f50 READ of size 1 at 0x7f643b32c5ff thread T5 #0 0x7f643b3217a9 in cos_cache_backwards_stricmp_and_clip ds/ldap/servers/plugins/cos/cos_cache.c:3428 Issue exists in the array offset check, which allows the value to go to -1 causing the invalid read. Fix Description: Fix the check to only allow the offset to go to 0, not -1 https://fedorahosted.org/389/ticket/48387 Author: wibrown Review by: ??? --- ldap/servers/plugins/cos/cos_cache.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c index db90ffa..cb5cb69 100644 --- a/ldap/servers/plugins/cos/cos_cache.c +++ b/ldap/servers/plugins/cos/cos_cache.c @@ -3413,14 +3413,18 @@ static int cos_cache_backwards_stricmp_and_clip(char*s1,char*s2) int s1len = 0; int s2len = 0; - LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_backwards_stricmp_and_clip\n",0,0,0); - s1len = strlen(s1); s2len = strlen(s2); + LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_backwards_stricmp_and_clip s1 %d s2 %d\n",s1len,s2len,0); + if(s1len > s2len && s2len > 0) { - while(s1len > -1 && s2len > -1) + /* In some cases this can go below 0 causing invalid reads + * We make the check for > 0, because if we are at 1 -> 0 is next + * If the check is > -1, we can easily get to 0, then -1, creating invalid read. + */ + while(s1len > 0 && s2len > 0) { s1len--; s2len--; -- 2.5.0