OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8655
Full headers

From: karsten.heymann@gmail.com
Subject: SECURITY: Segfault by ldapsearch with pagesize=0
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 17 May 2017 08:20:59 +0000
From: karsten.heymann@gmail.com
To: openldap-its@OpenLDAP.org
Subject: SECURITY: Segfault by ldapsearch with pagesize=0
Full_Name: Karsten Heymann
Version: 2.4.40, 2.4.44, git master 
OS: Debian 8
URL: 
Submission from: (NULL) (2a02:2450:dd1f::2450)


Hi,

I found the following problem with slapd 2.4.40, but it also applies to 2.4.44
and to the current git master (431c4af526b18abb4a18c2c4c8655690b753cbe5).

When running ldap-csvexport.pl 1.9[1] with an ldap page size of 0 (option "-l
0") , the slapd process is instantly segfaulting. ldap-csvexport is a perl
script that is using Net::LDAP and Net::LDAP::Control::Paged.

Complete Commandline:

    ./ldap-csvexport-1.9/ldap-csvexport.pl -a uid -b o=metacloud.org -l 0

This is the output of slapd -d1:

591c0422 slap_listener_activate(9): 
591c0422 >>> slap_listener(ldap:///)
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
591c0422 op tag 0x60, time 1495008290
ber_get_next
591c0422 conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
591c0422 >>> dnPrettyNormal: <>
591c0422 <<< dnPrettyNormal: <>, <>
591c0422 do_bind: version=3 dn="" method=128
591c0422 send_ldap_result: conn=1000 op=0 p=3
591c0422 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 13
591c0422 do_bind: v3 anonymous bind
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <>
591c0422 <<< dnPrettyNormal: <>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn=""
ber_flush2: 48 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=1 p=3
591c0422 send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 211 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=2 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <cn=Subschema>
591c0422 <<< dnPrettyNormal: <cn=Subschema>,
<cn=subschema>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn="cn=Subschema"
ber_flush2: 78881 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=2 p=3
591c0422 send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 94 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=3 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <o=metacloud.org>
591c0422 <<< dnPrettyNormal: <o=metacloud.org>,
<o=metacloud.org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
591c0422 => get_ctrls: oid="1.2.840.113556.1.4.319" (noncritical)
ber_scanf fmt ({im}) ber:
591c0422 <= get_ctrls: n=1 rc=0 err=""
591c0422 ==> limits_get: conn=1000 op=3 self="[anonymous]"
this="o=metacloud.org"
591c0422 => mdb_search
591c0422 mdb_dn2entry("o=metacloud.org")
591c0422 => mdb_dn2id("o=metacloud.org")
591c0422 <= mdb_dn2id: got id=0x1
591c0422 send_ldap_result: conn=1000 op=1 p=3
591c0422 send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 211 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=2 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <cn=Subschema>
591c0422 <<< dnPrettyNormal: <cn=Subschema>,
<cn=subschema>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
591c0422 => send_search_entry: conn 1000 dn="cn=Subschema"
ber_flush2: 78881 bytes to sd 13
591c0422 <= send_search_entry: conn 1000 exit.
591c0422 send_ldap_result: conn=1000 op=2 p=3
591c0422 send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 13
591c0422 connection_get(13): got connid=1000
591c0422 connection_read(13): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 94 contents:
591c0422 op tag 0x63, time 1495008290
ber_get_next
591c0422 conn=1000 op=3 do_search
ber_scanf fmt ({miiiib) ber:
591c0422 >>> dnPrettyNormal: <o=metacloud.org>
591c0422 <<< dnPret

Message of length 14885 truncated

Followup 1

Download message
Date: Wed, 17 May 2017 21:37:11 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0
Shorter reproducer: ftp://ftp.openldap.org/incoming/20170517_rtandy_crasher.pl

Patch: ftp://ftp.openldap.org/incoming/20170517_rtandy_Fix-double-free-of-search-base-with-page-size-0.patch



Followup 2

Download message
Date: Sat, 20 May 2017 11:36:13 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Cc: Karsten Heymann <karsten.heymann@gmail.com>, Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0
Pushed to master.



Followup 3

Download message
Date: Mon, 29 May 2017 09:59:56 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8655) SECURITY: Segfault by ldapsearch with pagesize=0
For the record, CVE-2017-9287 was assigned to this issue.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org