[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9175) ldapsearch segfault



Full_Name: Lexi Haley
Version: 02/20/2020 trunk commit 299fb490a27e7b0e5a60464e33f5ea04d00f0f7c
OS: CYGWIN on Windows
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (208.206.3.188)


Using clients/tools/ldapsearch to interact with my company's active directory, 
and I receive a segfault, in libraries/liblbver/decode.c .  the 'gist' of the 
command I executed was: 

ldapsearch.exe -h companyADserver -b cn=users,dc=company,dc=com -s sub '(cn=z*)'
cn

the gdb backtrace is (omitting all the (arg=val) items for brevity:

#0  ber_get_stringbvl (...) at decode.c:445
#1  0x0000000100435781 in ber_scanf (...) at decode.c:820
#2  0x000000010041a605 in ldap_get_attribute_ber (...) at getattr.c:149
#3  0x0000000100401d93 in print_entry (...) at ldapsearch.c:1758
#5  0x000000010043bfd7 in main (...) at ldapsearch.c:1510

and digging around - here is what I see going on.  in decode.c, during the 
ber_get_stringbvl function, the passed in b (aka cookie from caller), has the 
following values:

{choice = BvOff, option = 0, siz = 1, off = 4294967296, result = 0x800055410}

notice that off is 0x100000000 - a likely ridiculous (and thus a possible MAGIC)

value. examining in ber_scanf, looking at the memory for the va_args - i.e. 
examining ap - I see (sure enough) 0x100000000...

As a hacky temporary workaround - I added to my ber_get_stringbvl , before even

pulling the tag:

	} res;

+	if (b->off == 0x100000000)
+		return LBER_DEFAULT;

	tag = ber_skip_tag( ber, &bv.bv_len );


I did try rewinding my source back to OPENLDAP_REL_ENG_2_4_40 (2014) and then to

OPENLDAP_REL_ENG_2_4_30 (2012) - and both compilations still yielded the
segfault 
error I described above.

I'm afraid I do not know much about ldap or active directory - so I easily might
be 
omitting something relevant, and/or completely missing the mark in different
ways.

Feel free to ask me for more information, and/or suggest what I might try out.

Thanks,
Lexi