ldap/servers/plugins/cos/cos_cache.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)

New commits: commit d7c71db218f27cdbc2fcc39401a97b00e8d890a4 Author: William Brown firstyear@redhat.com Date: Thu Dec 17 15:00:18 2015 +1000

Ticket 48387 - ASAN invalid read in cos_cache.c

Bug Description: ==7050== ERROR: AddressSanitizer?: global-buffer-overflow on address 0x7f643b32c5ff at pc 0x7f643b3217aa bp 0x7f64331c5f60 sp 0x7f64331c5f50 READ of size 1 at 0x7f643b32c5ff thread T5

#0 0x7f643b3217a9 in cos_cache_backwards_stricmp_and_clip ds/ldap/servers/plugins/cos/cos_cache.c:3428

Issue exists in the array offset check, which allows the value to go to -1 causing the invalid read.

Fix Description: Fix the check to only allow the offset to go to 0, not -1

https://fedorahosted.org/389/ticket/48387

Author: wibrown

Review by: nhosoi (Thank you!)

diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c index db90ffa..cb5cb69 100644 --- a/ldap/servers/plugins/cos/cos_cache.c +++ b/ldap/servers/plugins/cos/cos_cache.c @@ -3413,14 +3413,18 @@ static int cos_cache_backwards_stricmp_and_clip(char*s1,char*s2) int s1len = 0; int s2len = 0;

- LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_backwards_stricmp_and_clip\n",0,0,0); - s1len = strlen(s1); s2len = strlen(s2);

+ LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_backwards_stricmp_and_clip s1 %d s2 %d\n",s1len,s2len,0); + if(s1len > s2len && s2len > 0) { - while(s1len > -1 && s2len > -1) + /* In some cases this can go below 0 causing invalid reads + * We make the check for > 0, because if we are at 1 -> 0 is next + * If the check is > -1, we can easily get to 0, then -1, creating invalid read. + */ + while(s1len > 0 && s2len > 0) { s1len--; s2len--;