[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7582) Access to uninitialized memory when sending cldap packet

Full_Name: Stef Walter
Version: 2.4.35
OS: Fedora 18
URL: http://fedorapeople.org/~stefw/patches/openldap-01/0001-Fix-usage-of-uninitialized-memory-when-sending-cldap.patch
Submission from: (NULL) (

When sending a cldap (UDP) packet, like a search request, uninitialized memory
is accessed. This shows up in valgrind like this:

==31445== Conditional jump or move depends on uninitialised value(s)
==31445==    at 0x36632244E6: ldap_send_server_request (request.c:377)
==31445==    by 0x36632247C2: ldap_send_initial_request (request.c:166)
==31445==    by 0x36632142F8: ldap_pvt_search (search.c:128)
==31445==    by 0x366321454F: ldap_search_ext (search.c:69)
==31445==    by 0x400838: main (in /data/projects/openldap/frob-cldap-search)

This is due to parsing the resulting packet to pull out a requestDN. UDP packets
have different BER layout, and therefore the assumptions made when parsing the
outgoing request are invalid.

It does not seem necessary to track the request DN for UDP packets. The linked
patch disables this code path for UDP packets.

Patch which fixes the issue:

Test code for the issue:

Note that the test code doesn't detect the issue on its own (or do anything
useful). Use valgrind to detect the issue:

$ gcc -o frob-cldap-search -Wall -lldap -llber frob-cldap-search.c
$ valgrind ./frob-cldap-search