[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8842) NULL pointer derefence

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8842) NULL pointer derefence
From: ondra@mistotebe.net
Date: Thu, 21 Jun 2018 15:29:37 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Tue, May 01, 2018 at 08:14:50PM +0000, openldap@katzen.cc wrote:
> 2 small issues:
> I'm keeping it brief, let me know if you need more information.
> 
> A malicious LDAP server or mitm attacker can craft a response that causes the
> ldap client to crash. Nothing critical, just a simoke DoS.
> [...]
> The problem here is that retoid can be NULL after ldap_parse_intermediate() is
> called. 
>
> Another NULL pointer dereference caused by a bad response:
> [...]
> The PoC leads to memcpy being called with a NULL pointer as second argument
> (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):
> 
> AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);

Both are fixed in this branch:
https://github.com/mistotebe/openldap/tree/its8842

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: (ITS#8866) RFE: slapo-constraint to return filter used in diagnostic message
Next by Date: (ITS#8867) ldap_sasl_bind_s failed error during replication
Index(es):
- Chronological
- Thread