Full_Name: Rohan Kurane Version: 2.4.40 OS: BSD 7.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.80.217.3) In ldap_new_connection() in request.c, while setting up a connection to the LDAP server, there is a possibility of dereferencing a NULL pointer in lc->locnn_server if ( connect ) { LDAPURLDesc **srvp, *srv = NULL; async % LDADAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { int rc; rc = ldap_int_open_connection( ld, lc, *srvp, async ); if ( rc != -1 ) { srv = *srvp; 9%9 if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); } break; } } if ( srv == NULL ) { if ( !use_ldsb ) { ber_sockbuf_free( lc->lconn_sb ); % %D LDAP_FREE( (char *)lc ); ld->ld_errno = LDAP_SERVER_DOWN; return( NULL ); } lc->lconn_server = ldap_url_dup( srv ); } ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of those malloc's fail, it returns NULL. The code does not check for a NULL lconn_server pointer and tries to reference lud_exts. That can cause a segmentation fault. if ( connect ) { #ifdef HAVE_TLS if ( lc->lconn_server->lud_exts ) { int rc, ext = find_tls_ext( lc->lconn_server ); if ( ext ) { LDAPConn *savedefconn; Even thou this should not happen, is this a known issue and are there any plans to fix the openldap library ? Thank you
rohanskurane@gmail.com wrote: > Full_Name: Rohan Kurane > Version: 2.4.40 > OS: BSD 7.2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (64.80.217.3) > > > In ldap_new_connection() in request.c, while setting up a connection to the LDAP > server, there is a possibility of dereferencing a NULL pointer in > lc->locnn_server Fixed in git master. Please don't send HTML emails, they're particularly unreadable with embedded code like this. > > if ( connect ) { > LDAPURLDesc **srvp, *srv = NULL; > > async % LDADAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); > > for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { > int rc; > > rc = ldap_int_open_connection( ld, lc, *srvp, async ); > if ( rc != -1 ) { > srv = *srvp; > > 9%9 if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { > ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); > } > > break; > } > } > > if ( srv == NULL ) { > if ( !use_ldsb ) { > ber_sockbuf_free( lc->lconn_sb ); > %%D > LDAP_FREE( (char *)lc ); > ld->ld_errno = LDAP_SERVER_DOWN; > return( NULL ); > } > > lc->lconn_server = ldap_url_dup( srv ); > } > > ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of > those malloc's fail, it returns NULL. The code does not check for a NULL > lconn_server pointer and tries to reference lud_exts. That can cause a > segmentation fault. > > if ( connect ) { > #ifdef HAVE_TLS > if ( lc->lconn_server->lud_exts ) { > int rc, ext = find_tls_ext( lc->lconn_server ); > if ( ext ) { > LDAPConn *savedefconn; > > Even thou this should not happen, is this a known issue and are there any plans > to fix the openldap library ? > > Thank you > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed