[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6163) back-sql DoS when searching for empty attr

Full_Name: Luben Karavelov
Version: 2.4.11-15
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

We use ldap for some user accounts authentication here and we have found that
queries of this kind :

ldapsearch -b "dc=users,dc=example,dc=com"

kill slapd. It exits on assert( 0 ) at line 1366 of back-sql/search.c

It is even nastier because it could be remotely triggered with 

ssh -l "" server-with-ldap-accounts-in-nss.example.com

or through ftp using the same technique.