https://bugs.openldap.org/show_bug.cgi?id=10340
Issue ID: 10340
Summary: Potential Buffer Overflow in mdb_rebalance
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 1067
--> https://bugs.openldap.org/attachment.cgi?id=1067&action=edit
Add an early return when `mc->mc_top == 0`
In `mdb_rebalance`, we do:
```c
int ptop = mc->mc_top - 1;
node = mc->mc_pg[ptop];
```
However, `mc->mc_top` defaults to 0 in many contexts, so `ptop` can become
`-1`. Indexing `mc->mc_pg[-1]` causes invalid memory access. Elsewhere this is
handled by checking `mc->mc_top > 0` before decrementing.
To fix this, we add an early return when `mc->mc_top == 0`. A root page (or one
without a parent) doesn’t need rebalancing, so this guard prevents `ptop` from
ever being negative and eliminates the out-of-bounds access.
--
You are receiving this mail because:
You are on the CC list for the issue.
