Skip to content

Issue 7545 - Heap buffer overflow in entry.c#7546

Open
IliaKash1 wants to merge 1 commit into
389ds:mainfrom
IliaKash1:fix-state-information-crash
Open

Issue 7545 - Heap buffer overflow in entry.c#7546
IliaKash1 wants to merge 1 commit into
389ds:mainfrom
IliaKash1:fix-state-information-crash

Conversation

@IliaKash1

@IliaKash1 IliaKash1 commented Jun 3, 2026
edited by sourcery-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Bug description:

Heap buffer overflow in str2entry_state_information_from_type() can be triggered with a specific input, since ';' is supposed to precede enough symbols.

Fix description:

Additional strlen() check before accessing specific symbols is added.

Fixes: #7545

Author: Ilia Kashintsev

Summary by Sourcery

Bug Fixes:

  • Add a string length guard in str2entry_state_information_from_type() to avoid out-of-bounds access on malformed input.

sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 3, 2026
View reviewed changes

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new strlen(p) >= 7 check prevents the overflow, but repeatedly calling strlen inside the loop may be unnecessary overhead; consider computing the length once per iteration (or deriving it from the parsing logic) and reusing it before the character index checks.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The new `strlen(p) >= 7` check prevents the overflow, but repeatedly calling `strlen` inside the loop may be unnecessary overhead; consider computing the length once per iteration (or deriving it from the parsing logic) and reusing it before the character index checks.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@packit-as-a-service

packit-as-a-service Bot commented Jun 3, 2026

Copy link
Copy Markdown

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

  • sudo dnf install -y 'dnf*-command(copr)'
  • dnf copr enable packit/389ds-389-ds-base-7546
  • And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

@progier389

progier389 commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Probably better test that p[0] != 0 && p[1] != 0 && p[2] != 0 && ... rather than use strlen(p) >= 7
But I even wonder if we want to "fix" that:
entry state is internal data. As far as know the only way to provide a bad entry state is to have an administrator importing an ldif file that have been badly tampered - Having a crash in that case is not really an issue
but impacting the performance of this function could be one

@IliaKash1
Issue 7545 - Heap buffer overflow in str2entry_state_information_from…
7d97c45 
…_type()

Bug description:

Heap buffer overflow can be triggered with a specific input, since ';'
is supposed to precede by enough symbols.

Fix description:

Additional NULL checks before accessing specific symbols is added.

Fixes: 389ds#7545

Author: Ilia Kashintsev
@IliaKash1 IliaKash1 force-pushed the fix-state-information-crash branch from 2b78265 to 7d97c45 Compare June 4, 2026 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Heap buffer overflow in str2entry_state_information_from_type()

2 participants

@IliaKash1 @progier389