fix-48986-cve-2017-2591

commit ffda694dd622b31277da07be76d3469fad86150f
Author: William Brown <william@blackhats.net.au>
Date:   Wed Sep 28 10:46:21 2016 +1000

    Ticket 48986 - 47808 triggers overflow in uiduniq.c

    Bug Description:  Certain configurations of uiduniq.c would cause an overflow
    when running with Address Sanitiser

    Fix Description:  Increase the size of the allocation to tmp_config->attrs.

    https://fedorahosted.org/389/ticket/48986

    Author: nhosoi

    Reviewed by: wibrown

Gbp-Pq: Name fix-48986-cve-2017-2591.diff

diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index f842654378f6eaf5659656a970541de71c63e5e5..7a55969a1c8c63f04a6a9096f2dbcf1c7ed127b1 100644 (file)
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -299,7 +299,7 @@ uniqueness_entry_to_config(Slapi_PBlock *pb, Slapi_Entry *config_entry)
                         }
                         
                         /* Store attrName in the config */
-                        tmp_config->attrs = (const char **) slapi_ch_calloc(1, sizeof(char *));
+                        tmp_config->attrs = (const char **) slapi_ch_calloc(2, sizeof(char *));
                         tmp_config->attrs[0] = slapi_ch_strdup(attrName);
                         argc--;
                         argv++; /* First argument was attribute name and remaining are subtrees */
@@ -340,7 +340,7 @@ uniqueness_entry_to_config(Slapi_PBlock *pb, Slapi_Entry *config_entry)
                          *  - requiredObjectClass 
                          */
                         /* Store attrName in the config */
-                        tmp_config->attrs = (const char **) slapi_ch_calloc(1, sizeof(char *));
+                        tmp_config->attrs = (const char **) slapi_ch_calloc(2, sizeof(char *));
                         tmp_config->attrs[0] = slapi_ch_strdup(attrName);
                         
                         /* There is no subtrees */