mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-24 08:39:37 -05:00
ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len)
which should be at most 8 bytes. However if we read more than the minimum message length, we have a problem because we steal bytes from any following message, and there is no buffer mechanism to push back excess data. The shortest legitimate message is Unbind at 7 bytes, but there shouldn't be anything following it. Abandon at 8 bytes is next, so always requesting at least 8 bytes should be safe. Always requesting 9 was a problem. Please double-check these assumptions...
This commit is contained in:
Howard Chu
parent
d14ff18d7f
commit
bcf7ab26e4
1 changed files with 2 additions and 2 deletions
|
|
@ -510,13 +510,13 @@ ber_get_next(
|
|||
}
|
||||
|
||||
while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
|
||||
(char *)&ber->ber_len + LENSIZE*2) {
|
||||
(char *)&ber->ber_len + LENSIZE*2 -1) {
|
||||
ber_slen_t sblen;
|
||||
char buf[sizeof(ber->ber_len)-1];
|
||||
ber_len_t tlen = 0;
|
||||
|
||||
sblen=ber_int_sb_read( sb, ber->ber_rwptr,
|
||||
((char *)&ber->ber_len + LENSIZE*2)-ber->ber_rwptr);
|
||||
((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
|
||||
if (sblen<=0) return LBER_DEFAULT;
|
||||
ber->ber_rwptr += sblen;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue