Viewing Software Bugs/8655
Full headers

Major security issue: yes  no

Notes:
fixed in master fixed in RE25 fixed in RE24 (2.4.45)
Notification:

Date: Wed, 17 May 2017 08:20:59 +0000
From: karsten.heymann@gmail.com
To: openldap-its@OpenLDAP.org
Subject: SECURITY: Segfault by ldapsearch with pagesize=0

Full_Name: Karsten Heymann
Version: 2.4.40, 2.4.44, git master 
OS: Debian 8
URL: 
Submission from: (NULL) (2a02:2450:dd1f::2450)


Hi,

I found the following problem with slapd 2.4.40, but it also applies to 2.4.44
and to the current git master (431c4af526b18abb4a18c2c4c8655690b753cbe5).

When running ldap-csvexport.pl 1.9[1] with an ldap page size of 0 (option "-l
0") , the slapd process is instantly segfaulting. ldap-csvexport is a perl
script that is using Net::LDAP and Net::LDAP::Control::Paged.

Complete Commandline:

    ./ldap-csvexport-1.9/ldap-csvexport.pl -a uid -b o=metacloud.org -l 0

This is the output of slapd -d1:

591c0422 slap_listener_activate(9): 
591c0422 >>> slap_listener(ldap:///)
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
591c0422 op tag 0x60, time 1495008290
ber_get_next
591c0422 conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
591c0422 >>> dnPrettyNormal: <>
591c0422 <<< dnPrettyNormal: <>, <>
591c0422 do_bind: version=3 dn="" method=128
591c0422 send_ldap_result: conn=1000 op=0 p=3
591c0422 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 13
591c0422 do_bind: v3 anonymous bind
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <>
591c0422 <<< dnPrettyNormal: <>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn=""
ber_flush2: 48 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=1 p=3
591c0422 send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 211 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=2 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <cn=Subschema>
591c0422 <<< dnPrettyNormal: <cn=Subschema>,
<cn=subschema>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn="cn=Subschema"
ber_flush2: 78881 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=2 p=3
591c0422 send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 94 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=3 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <o=metacloud.org>
591c0422 <<< dnPrettyNormal: <o=metacloud.org>,
<o=metacloud.org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
591c0422 => get_ctrls: oid="1.2.840.113556.1.4.319" (noncritical)
ber_scanf fmt ({im}) ber:
591c0422 <= get_ctrls: n=1 rc=0 err=""
591c0422 ==> limits_get: conn=1000 op=3 self="[anonymous]"
this="o=metacloud.org"
591c0422 => mdb_search
591c0422 mdb_dn2entry("o=metacloud.org")
591c0422 => mdb_dn2id("o=metacloud.org")
591c0422 <= mdb_dn2id: got id=0x1
591c0422 send_ldap_result: conn=1000 op=1 p=3
591c0422 send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 211 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=2 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <cn=Subschema>
591c0422 <<< dnPrettyNormal: <cn=Subschema>,
<cn=subschema>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn="cn=Subschema"
ber_flush2: 78881 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=2 p=3
591c0422 send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 94 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=3 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <o=metacloud.org>
591c0422 <<< dnPret

Followup 1

Date: Wed, 17 May 2017 21:37:11 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0

Shorter reproducer: ftp://ftp.openldap.org/incoming/20170517_rtandy_crasher.pl

Patch: ftp://ftp.openldap.org/incoming/20170517_rtandy_Fix-double-free-of-search-base-with-page-size-0.patch

Followup 2

Date: Sat, 20 May 2017 11:36:13 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Cc: Karsten Heymann <karsten.heymann@gmail.com>, Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0

Pushed to master.

Followup 3

Date: Mon, 29 May 2017 09:59:56 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0

For the record, CVE-2017-9287 was assigned to this issue.