[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8820) ldap_get_attribute_ber() return NULL pointer while OK

daniel@haxx.se wrote:
> Full_Name: Daniel Stenberg
> Version: any
> OS: Linux
> URL:
> Submission from: (NULL) (
> The function ldap_get_attribute_ber() is called to get attributes, but it turns
> out that it can return LDAP_SUCCESS and still return a NULL pointer in the
> result pointer when getting a particularly crafted response.
> This was a surprise to us and to curl, as this caused us a security
> vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html
> 1. There's no man page nor online resource to read the docs for this function so
> its really hard to figure out this fact.
> 2. This behavior is surprising, and this flaw was even written by someone very
> familiar with OpenLDAP, indicating it is unintended or at least not the normal
> path.

It's actually normal; if you issue a search and specify attrsonly, the results 
will only contain attribute names and no values. (e.g. using ldapsearch -A)

As such, returning LDAP_SUCCESS with a NULL value is correct.

Unfortunate oversight on my part when writing that curl patch.

Looking at the mitigation you've applied, I'm not sure it's correct. In 
particular, you're terminating the loop when you receive a NULL value, but 
there may actually be multiple attributes present (with no values on any of 
them) and you ought to continue iterating through them all.

> 3. Due to the above two points, I believe there's a risk curl is not the only
> application in the world that had this bad assumption and thus this might be a
> lurking security issue in more projects.
>   / Daniel

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/