forked from pool/openldap2
9e343b5b6a
checked in (request 46363) OBS-URL: https://build.opensuse.org/request/show/46363 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=45
101 lines
3.2 KiB
Plaintext
101 lines
3.2 KiB
Plaintext
From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001
|
|
From: hyc <hyc>
|
|
Date: Sun, 6 Jun 2010 22:02:32 +0000
|
|
Subject: slapd modrdn crash (ITS#6570)
|
|
|
|
part #1 reject RDNs with binary BER values
|
|
part #2 reject RDNs with empty values
|
|
|
|
Unauthenticated LDAP clients could crash the server by submitting a
|
|
specially crafted LDAP ModRDN operatoin.
|
|
|
|
Part #1:
|
|
OpenLDAP crashes with segfault during the processing of a modrdn call with
|
|
maliciously formed destination rdn string. No authentication is required to
|
|
trigger this vulnerability.
|
|
|
|
Part #2:
|
|
OpenLDAP crashes at a null pointer dereference during the processing of modrdn
|
|
call with maliciously formed destination rdn string. No authentication is
|
|
required to trigger this vulnerability.
|
|
|
|
3 files changed, 16 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
|
|
index 3534e7f..75d2204 100644
|
|
--- a/servers/slapd/dn.c
|
|
+++ b/servers/slapd/dn.c
|
|
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
|
|
ava->la_attr = ad->ad_cname;
|
|
|
|
if( ava->la_flags & LDAP_AVA_BINARY ) {
|
|
- if( ava->la_value.bv_len == 0 ) {
|
|
- /* BER encoding is empty */
|
|
- return LDAP_INVALID_SYNTAX;
|
|
- }
|
|
+ /* AVA is binary encoded, not supported */
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
|
|
/* Do not allow X-ORDERED 'VALUES' naming attributes */
|
|
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
|
|
return LDAP_INVALID_SYNTAX;
|
|
|
|
- /* AVA is binary encoded, don't muck with it */
|
|
} else if( flags & SLAP_LDAPDN_PRETTY ) {
|
|
transf = ad->ad_type->sat_syntax->ssyn_pretty;
|
|
if( !transf ) {
|
|
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
|
|
ava->la_value = bv;
|
|
ava->la_flags |= LDAP_AVA_FREE_VALUE;
|
|
}
|
|
+ /* reject empty values */
|
|
+ if (!ava->la_value.bv_len) {
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
+ }
|
|
}
|
|
rc = LDAP_SUCCESS;
|
|
|
|
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
|
|
index e386ef9..e143a7b 100644
|
|
--- a/servers/slapd/modrdn.c
|
|
+++ b/servers/slapd/modrdn.c
|
|
@@ -445,12 +445,19 @@ slap_modrdn2mods(
|
|
mod_tmp->sml_values[1].bv_val = NULL;
|
|
if( desc->ad_type->sat_equality->smr_normalize) {
|
|
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
|
|
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
|
|
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
|
|
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
|
|
desc->ad_type->sat_syntax,
|
|
desc->ad_type->sat_equality,
|
|
&mod_tmp->sml_values[0],
|
|
&mod_tmp->sml_nvalues[0], NULL );
|
|
+ if (rs->sr_err != LDAP_SUCCESS) {
|
|
+ ch_free(mod_tmp->sml_nvalues);
|
|
+ ch_free(mod_tmp->sml_values[0].bv_val);
|
|
+ ch_free(mod_tmp->sml_values);
|
|
+ ch_free(mod_tmp);
|
|
+ goto done;
|
|
+ }
|
|
mod_tmp->sml_nvalues[1].bv_val = NULL;
|
|
} else {
|
|
mod_tmp->sml_nvalues = NULL;
|
|
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
|
|
index 68e6d28..d2f4708 100644
|
|
--- a/servers/slapd/schema_init.c
|
|
+++ b/servers/slapd/schema_init.c
|
|
@@ -1732,8 +1732,9 @@ UTF8StringNormalize(
|
|
? LDAP_UTF8_APPROX : 0;
|
|
|
|
val = UTF8bvnormalize( val, &tmp, flags, ctx );
|
|
+ /* out of memory or syntax error, the former is unlikely */
|
|
if( val == NULL ) {
|
|
- return LDAP_OTHER;
|
|
+ return LDAP_INVALID_SYNTAX;
|
|
}
|
|
|
|
/* collapse spaces (in place) */
|
|
--
|
|
1.7.0.3
|
|
|