Summary: Specially crafted Server Side Sort crashes directory server or
makes it unresponsive
A test case posted by Andrey Ivanov could cause the directory server
crash. A function to log the server side sorting sort_log_access had a
bug to count the string size to be stored in the buffer. The code meant
if the string length is less than or equal to the static buffer size, it
uses the buffer. If it is longer, it allocates the enough size of space
and use it. This is the sample of the string to log:
The last "(1944)" is a count of candidates. The length was missing in
the calculation for the string size.
Created an attachment (id=324508) [details]
cvs diff ldap/servers/slapd/back-ldbm/sort.c
The cause of the problem was a buffer overflow.
The length of the 2 sort specs "-sn;2.16.840.1.1137220.127.116.11.18.1.6
-givenName;2.16.840.1.113718.104.22.168.18.1.6 " is just about the prepared buffer
size, which is unfortunate since there is no space for the candidate size,
e.g., "(1944)" being added later. By adding the "(1944)" to the
it caused buffer overflow and crashed your server.
The code to check the length of the candidate size before calculating the buffer size is