[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8820) ldap_get_attribute_ber() return NULL pointer while OK

Full_Name: Daniel Stenberg
Version: any
OS: Linux
Submission from: (NULL) (

The function ldap_get_attribute_ber() is called to get attributes, but it turns
out that it can return LDAP_SUCCESS and still return a NULL pointer in the
result pointer when getting a particularly crafted response.

This was a surprise to us and to curl, as this caused us a security
vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html

1. There's no man page nor online resource to read the docs for this function so
its really hard to figure out this fact.

2. This behavior is surprising, and this flaw was even written by someone very
familiar with OpenLDAP, indicating it is unintended or at least not the normal

3. Due to the above two points, I believe there's a risk curl is not the only
application in the world that had this bad assumption and thus this might be a
lurking security issue in more projects.

 / Daniel