Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
openldap2
slapd-modrdn-crash-ITS-6570.dif
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File slapd-modrdn-crash-ITS-6570.dif of Package openldap2
From efa6e241d3128b7b575d9d4d98f1b50323e31b17 Mon Sep 17 00:00:00 2001 From: hyc <hyc> Date: Sun, 6 Jun 2010 22:02:32 +0000 Subject: slapd modrdn crash (ITS#6570) part #1 reject RDNs with binary BER values part #2 reject RDNs with empty values Unauthenticated LDAP clients could crash the server by submitting a specially crafted LDAP ModRDN operatoin. Part #1: OpenLDAP crashes with segfault during the processing of a modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. Part #2: OpenLDAP crashes at a null pointer dereference during the processing of modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 9552070..c75d55d 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -318,16 +318,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) ava->la_attr = ad->ad_cname; if( ava->la_flags & LDAP_AVA_BINARY ) { - if( ava->la_value.bv_len == 0 ) { - /* BER encoding is empty */ - return LDAP_INVALID_SYNTAX; - } + /* AVA is binary encoded, not supported */ + return LDAP_INVALID_SYNTAX; /* Do not allow X-ORDERED 'VALUES' naming attributes */ } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { return LDAP_INVALID_SYNTAX; - /* AVA is binary encoded, don't muck with it */ } else if( flags & SLAP_LDAPDN_PRETTY ) { transf = ad->ad_type->sat_syntax->ssyn_pretty; if( !transf ) { @@ -395,6 +392,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) ava->la_value = bv; ava->la_flags |= LDAP_AVA_FREE_VALUE; } + /* reject empty values */ + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; + } } rc = LDAP_SUCCESS; diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index ef124ec..16fb27b 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -445,12 +445,19 @@ slap_modrdn2mods( mod_tmp->sml_values[1].bv_val = NULL; if( desc->ad_type->sat_equality->smr_normalize) { mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); - (void) (*desc->ad_type->sat_equality->smr_normalize)( + rs->sr_err = desc->ad_type->sat_equality->smr_normalize( SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, desc->ad_type->sat_syntax, desc->ad_type->sat_equality, &mod_tmp->sml_values[0], &mod_tmp->sml_nvalues[0], NULL ); + if (rs->sr_err != LDAP_SUCCESS) { + ch_free(mod_tmp->sml_nvalues); + ch_free(mod_tmp->sml_values[0].bv_val); + ch_free(mod_tmp->sml_values); + ch_free(mod_tmp); + goto done; + } mod_tmp->sml_nvalues[1].bv_val = NULL; } else { mod_tmp->sml_nvalues = NULL; diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index eb394e8..0b96520 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -1547,8 +1547,9 @@ UTF8StringNormalize( ? LDAP_UTF8_APPROX : 0; val = UTF8bvnormalize( val, &tmp, flags, ctx ); + /* out of memory or syntax error, the former is unlikely */ if( val == NULL ) { - return LDAP_OTHER; + return LDAP_INVALID_SYNTAX; } /* collapse spaces (in place) */ -- 1.7.0.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor