1
0
forked from pool/openldap2
openldap2/slapd-modrdn-crash-ITS-6570.dif

101 lines
3.2 KiB
Plaintext
Raw Normal View History

From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001
From: hyc <hyc>
Date: Sun, 6 Jun 2010 22:02:32 +0000
Subject: slapd modrdn crash (ITS#6570)
part #1 reject RDNs with binary BER values
part #2 reject RDNs with empty values
Unauthenticated LDAP clients could crash the server by submitting a
specially crafted LDAP ModRDN operatoin.
Part #1:
OpenLDAP crashes with segfault during the processing of a modrdn call with
maliciously formed destination rdn string. No authentication is required to
trigger this vulnerability.
Part #2:
OpenLDAP crashes at a null pointer dereference during the processing of modrdn
call with maliciously formed destination rdn string. No authentication is
required to trigger this vulnerability.
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index 3534e7f..75d2204 100644
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
ava->la_attr = ad->ad_cname;
if( ava->la_flags & LDAP_AVA_BINARY ) {
- if( ava->la_value.bv_len == 0 ) {
- /* BER encoding is empty */
- return LDAP_INVALID_SYNTAX;
- }
+ /* AVA is binary encoded, not supported */
+ return LDAP_INVALID_SYNTAX;
/* Do not allow X-ORDERED 'VALUES' naming attributes */
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
return LDAP_INVALID_SYNTAX;
- /* AVA is binary encoded, don't muck with it */
} else if( flags & SLAP_LDAPDN_PRETTY ) {
transf = ad->ad_type->sat_syntax->ssyn_pretty;
if( !transf ) {
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
ava->la_value = bv;
ava->la_flags |= LDAP_AVA_FREE_VALUE;
}
+ /* reject empty values */
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
+ }
}
rc = LDAP_SUCCESS;
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index e386ef9..e143a7b 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -445,12 +445,19 @@ slap_modrdn2mods(
mod_tmp->sml_values[1].bv_val = NULL;
if( desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
desc->ad_type->sat_syntax,
desc->ad_type->sat_equality,
&mod_tmp->sml_values[0],
&mod_tmp->sml_nvalues[0], NULL );
+ if (rs->sr_err != LDAP_SUCCESS) {
+ ch_free(mod_tmp->sml_nvalues);
+ ch_free(mod_tmp->sml_values[0].bv_val);
+ ch_free(mod_tmp->sml_values);
+ ch_free(mod_tmp);
+ goto done;
+ }
mod_tmp->sml_nvalues[1].bv_val = NULL;
} else {
mod_tmp->sml_nvalues = NULL;
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 68e6d28..d2f4708 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1732,8 +1732,9 @@ UTF8StringNormalize(
? LDAP_UTF8_APPROX : 0;
val = UTF8bvnormalize( val, &tmp, flags, ctx );
+ /* out of memory or syntax error, the former is unlikely */
if( val == NULL ) {
- return LDAP_OTHER;
+ return LDAP_INVALID_SYNTAX;
}
/* collapse spaces (in place) */
--
1.7.0.3