https://bugs.openldap.org/show_bug.cgi?id=10077
Issue ID: 10077
Summary: Integer overflow in util-int.c
Product: OpenLDAP
Version: 2.6.3
Hardware: All
OS: Windows
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 971
--> https://bugs.openldap.org/attachment.cgi?id=971&action=edit
the fix proposal for ldap_pvt_gettimensec() function
Hello,
I found the issue with contextCNS generating process which cause that its
format is invalid (minus sign in nanoseconds filed).
Example:
"generated new csn=20230630080704.-489933Z#000000#000#000000"
The bug can introduce the minus sign in the contextCSN what could have an
impact in replication process, backup restoring etc. Everywhere when the format
of contextCSN is checked before processing it.
According to the source code and reference documents the contextCSN nanoseconds
filed should have the value from range: 000000-999999.
https://www.openldap.org/faq/data/cache/1145.html
The problem is in the function ldap_pvt_gettimensec() in util-int.c file. For
example in line:
count.QuadPart += (10 * BILLION);
The value of (10 * BILLION) will be treated as 32-bit value by compilator and
will cause the integer overflow. Then the random value is added to
count.QuadPart what in some specific cases can produce the negative value which
is returned from the function. At the end the value is passed to the function
ldap_pvt_csnstr() so the contextCSN is wrongly generated (with minus sign).
There is missing 'LL' qualifier, code should looks like this:
count.QuadPart += (10LL * BILLION);
I also suggest to change the type of _ldap_pvt_gt_offset variable from int to
long long.
In attachment you will find fix proposal as there are more places in the
function where changes are required.
--
You are receiving this mail because:
You are on the CC list for the issue.
