potential crash in ldap_str2charray()

RESOLVED INVALID

Status

Directory
LDAP C SDK
--
critical
RESOLVED INVALID
9 years ago
7 years ago

People

(Reporter: wolfiR, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
This has been reported originally here:
https://bugzilla.novell.com/show_bug.cgi?id=439588

----------
thunderbirds included libldap uses strtok on a (readonly?) string, which
results in a segfault.

The same problem can be triggered by this small program:
------
#include <string.h>

main() {
        const char* brk = ", ";
        char* str = "ldap://localhost/";
        char* str2;
        str2 = strdup(str);

        char* s;
        s = strtok( str2, ", " ); // <= works
        s = strtok( str, ", " ); //  <= segfault
}
-------

I don't know if any caller of ldap_str2charray() ever would pass a constant string but it for sure doesn't hurt to catch that case.
(The original crash reported (at least that I know of) is caused by the fact that mozldap and openldap function calls got mixed up in the same process what seems to be at least one reason which is able to trigger the crash (and probably many more issues but anyway).)

Comment 1

9 years ago
the prototype asks for char* for both args, not const char*

http://mxr.mozilla.org/comm-central/source/directory/c-sdk/ldap/libraries/libldap/charray.c#194
(Reporter)

Comment 2

9 years ago
hmm, obviously right. Ok, so the only reason that can break is really only if symbols are mixed up between mozldap and openldap so that this is more or less invalid :-(

Comment 3

7 years ago
(In reply to comment #2)
> hmm, obviously right. Ok, so the only reason that can break is really only if
> symbols are mixed up between mozldap and openldap so that this is more or less
> invalid :-(

wolfir, you mean bug invalid?
Severity: normal → critical
Keywords: crash
(Reporter)

Comment 4

7 years ago
Yes, seems invalid.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.