From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 7 Jul 2008 18:52:29 +0000 (+0000)
Subject: ITS#5580
X-Git-Tag: OPENLDAP_REL_ENG_2_3_43~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef21d7111528eab0d69760ac7bf196b0d81066ab;p=thirdparty%2Fopenldap.git

ITS#5580
---

diff --git a/CHANGES b/CHANGES
index ead614637f..4e35844d48 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.43 Engineering
+	Fixed liblber ber_get_next length decoding (ITS#5580)
 	Fixed slapd replog timestamps (ITS#5532)
 
 OpenLDAP 2.3.42 Release (2008/05/28)
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 3fc3d8a36f..a3447423f5 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -495,14 +495,18 @@ ber_get_next(
 	}
 
 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
-		(char *)&ber->ber_len + LENSIZE*2 -1) {
+		(char *)&ber->ber_len + LENSIZE*2) {
 		ber_slen_t sblen;
 		char buf[sizeof(ber->ber_len)-1];
 		ber_len_t tlen = 0;
 
+		/* The tag & len can be at most 9 bytes; we try to read up to 8 here */
 		sock_errset(0);
-		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
-			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
+		sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr;
+		/* Trying to read the last len byte of a 9 byte tag+len */
+		if (sblen<1)
+			sblen = 1;
+		sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen );
 		if (sblen<=0) return LBER_DEFAULT;
 		ber->ber_rwptr += sblen;
 
@@ -552,7 +556,7 @@ ber_get_next(
 			int i;
 			unsigned char *p = (unsigned char *)ber->ber_ptr;
 			int llen = *p++ & 0x7f;
-			if (llen > (int)sizeof(ber_len_t)) {
+			if (llen > LENSIZE) {
 				sock_errset(ERANGE);
 				return LBER_DEFAULT;
 			}
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index 1ae7320619..4419a81cef 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -296,18 +296,20 @@ wait4msg(
 #endif
 
 		    	if ( !lc_ready ) {
+				int err;
 				rc = ldap_int_select( ld, tvp );
-#ifdef LDAP_DEBUG
 				if ( rc == -1 ) {
+					err = sock_errno();
+#ifdef LDAP_DEBUG
 					Debug( LDAP_DEBUG_TRACE,
 						"ldap_int_select returned -1: errno %d\n",
-						sock_errno(), 0, 0 );
-				}
+						err, 0, 0 );
 #endif
+				}
 
 				if ( rc == 0 || ( rc == -1 && (
 					!LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_RESTART)
-						|| sock_errno() != EINTR )))
+						|| err != EINTR )))
 				{
 					ld->ld_errno = (rc == -1 ? LDAP_SERVER_DOWN :
 						LDAP_TIMEOUT);
@@ -410,7 +412,7 @@ try_read1msg(
 	LDAPRequest	*lr, *tmplr;
 	LDAPConn	*lc;
 	BerElement	tmpber;
-	int		rc, refer_cnt, hadref, simple_request;
+	int		rc, refer_cnt, hadref, simple_request, err;
 	ber_int_t	lderr;
 
 #ifdef LDAP_CONNECTIONLESS
@@ -469,15 +471,16 @@ nextresp3:
 	}
 	if ( tag != LDAP_TAG_MESSAGE ) {
 		if ( tag == LBER_DEFAULT) {
+			err = sock_errno();
 #ifdef LDAP_DEBUG		   
 			Debug( LDAP_DEBUG_CONNS,
 				"ber_get_next failed.\n", 0, 0, 0 );
-#endif		   
+#endif
 #ifdef EWOULDBLOCK			
-			if ( sock_errno() == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
+			if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
 #endif
 #ifdef EAGAIN
-			if ( sock_errno() == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
+			if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
 #endif
 			ld->ld_errno = LDAP_SERVER_DOWN;
 			return -1;