Package: ldap2zone
Version: 0.2-3.1
Severity: important
Tags: patch
User: [email protected]
Usertags: debian-edu
I tested running ldap2zone using valgrind, and discovered a write
outside a malloc()-ed buffer. This patch fixes it. The overflow
happened in the following sprintf() call printing "%s %s" in a buffer
with room for "%s%s" only.
--- ldap2zone-0.2.orig/ldap2zone.c
+++ ldap2zone-0.2/ldap2zone.c
@@ -222,7 +222,7 @@ int putrr(struct assstack_entry **stack,
free(rr);
return -1;
}
- rrdata->key.len = strlen(type) + strlen(ttl) + 1;
+ rrdata->key.len = strlen(type) + strlen(ttl) + 2; /* null byte and space */
rrdata->key.data = (void *) malloc(rrdata->key.len);
if (!rrdata->key.data) {
free(rrdata);
Perhaps best to build the binary with hardening enabled?
--
Happy hacking
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
