OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8027
Full headers

From: ryan@nardis.ca
Subject: ldapsearch -E deref=member: crashes slapd
Compose comment
Download message
State:
1 replies: 1
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 19 Jan 2015 19:56:02 +0000
From: ryan@nardis.ca
To: openldap-its@OpenLDAP.org
Subject: ldapsearch -E deref=member: crashes slapd
Full_Name: Ryan Tandy
Version: master (7df548d), RE24 (2b14bbc)
OS: Debian unstable
URL: 
Submission from: (NULL) (142.32.208.227)


If you use the deref control but leave the list of requested attributes empty,
slapd crashes.

ldapsearch [...] -E deref=member:

#0  0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940, rs=0x7ffff57eeac0,
ctrl=0x7fffec001238) at deref.c:225
#1  0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940, rs=0x7ffff57eeac0,
control=0x7fffec001238, text=0x7ffff57eeae0)
    at controls.c:693
#2  0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0,
sendres=1, ctag=160) at controls.c:886
#3  0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0,
sendres=1) at controls.c:723
#4  0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0) at
search.c:195
#5  0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0,
arg_v=0x7fffec000940) at connection.c:1134
#6  0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0, argv=0xb)
at connection.c:1280
#7  0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at
tpool.c:958
#8  0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at
pthread_create.c:309
#9  0x00007ffff76e4ccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(line numbers are from master)

The ldapsearch manpage implies this probably isn't valid, but it still accepted
it. (FWIW, I tried it just to see whether it would return all attributes or
none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is
considered a valid request.

Followup 1

Download message
Date: Mon, 19 Jan 2015 22:17:11 +0000
From: Howard Chu <hyc@symas.com>
To: ryan@nardis.ca, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
ryan@nardis.ca wrote:
> Full_Name: Ryan Tandy
> Version: master (7df548d), RE24 (2b14bbc)
> OS: Debian unstable
> URL:
> Submission from: (NULL) (142.32.208.227)
>
>
> If you use the deref control but leave the list of requested attributes
empty,
> slapd crashes.
>
> ldapsearch [...] -E deref=member:
>
> #0  0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940,
rs=0x7ffff57eeac0,
> ctrl=0x7fffec001238) at deref.c:225
> #1  0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940,
rs=0x7ffff57eeac0,
> control=0x7fffec001238, text=0x7ffff57eeae0)
>      at controls.c:693
> #2  0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0,
> sendres=1, ctag=160) at controls.c:886
> #3  0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0,
> sendres=1) at controls.c:723
> #4  0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0)
at
> search.c:195
> #5  0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0,
> arg_v=0x7fffec000940) at connection.c:1134
> #6  0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0,
argv=0xb)
> at connection.c:1280
> #7  0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at
> tpool.c:958
> #8  0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at
> pthread_create.c:309
> #9  0x00007ffff76e4ccd in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
> (line numbers are from master)
>
> The ldapsearch manpage implies this probably isn't valid, but it still
accepted
> it. (FWIW, I tried it just to see whether it would return all attributes or
> none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list
is
> considered a valid request.

As I read the grammar in the draft section 2.2 the attributeList is not 
OPTIONAL so this is definitely not a valid request.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Mon, 19 Jan 2015 23:25:05 +0100
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
To: hyc@symas.com
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
hyc@symas.com wrote:
> As I read the grammar in the draft section 2.2 the attributeList is not 
> OPTIONAL so this is definitely not a valid request.

But this invalid request must not crash slapd with slapo-deref installed.

Ciao, Michael.



Followup 3

Download message
Date: Mon, 19 Jan 2015 22:27:30 +0000
From: Howard Chu <hyc@symas.com>
To: ryan@nardis.ca, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
ryan@nardis.ca wrote:
> Full_Name: Ryan Tandy
> Version: master (7df548d), RE24 (2b14bbc)
> OS: Debian unstable
> URL:
> Submission from: (NULL) (142.32.208.227)
>
>
> If you use the deref control but leave the list of requested attributes
empty,
> slapd crashes.
>
> ldapsearch [...] -E deref=member:

> The ldapsearch manpage implies this probably isn't valid, but it still
accepted
> it. (FWIW, I tried it just to see whether it would return all attributes or
> none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list
is
> considered a valid request.
>
Patched in master to reject a request with an empty attr list.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Reply 1

Resend
From: Howard Chu <openldap-its@OpenLDAP.org>
To: michael@stroeder.com
Subject: Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
Date: Mon Feb 23 08:15:29 2015
>But this invalid request must not crash slapd with slapo-deref installed.

Of course not. But slapo-deref is not installed or enabled by default. And since
it is undocumented, no one would enable it by accident - most don't even know
that it exists.


Followup 4

Download message
Subject: Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
To: openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Thu, 20 Aug 2015 11:52:25 +0100
Howard Chu wrote:
> ryan@nardis.ca wrote:
>> Full_Name: Ryan Tandy
>> Version: master (7df548d), RE24 (2b14bbc)
>> OS: Debian unstable
>> URL:
>> Submission from: (NULL) (142.32.208.227)
>>
>>
>> If you use the deref control but leave the list of requested attributes
empty,
>> slapd crashes.
>>
>> ldapsearch [...] -E deref=member:
>
>> The ldapsearch manpage implies this probably isn't valid, but it still
accepted
>> it. (FWIW, I tried it just to see whether it would return all
attributes or
>> none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr
list is
>> considered a valid request.
>>
> Patched in master to reject a request with an empty attr list.
>
For future reference, this was registered as CVE-2015-1545.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org