From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 From: hyc Date: Sun, 6 Jun 2010 22:02:32 +0000 Subject: slapd modrdn crash (ITS#6570) part #1 reject RDNs with binary BER values part #2 reject RDNs with empty values Unauthenticated LDAP clients could crash the server by submitting a specially crafted LDAP ModRDN operatoin. Part #1: OpenLDAP crashes with segfault during the processing of a modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. Part #2: OpenLDAP crashes at a null pointer dereference during the processing of modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 3534e7f..75d2204 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) ava->la_attr = ad->ad_cname; if( ava->la_flags & LDAP_AVA_BINARY ) { - if( ava->la_value.bv_len == 0 ) { - /* BER encoding is empty */ - return LDAP_INVALID_SYNTAX; - } + /* AVA is binary encoded, not supported */ + return LDAP_INVALID_SYNTAX; /* Do not allow X-ORDERED 'VALUES' naming attributes */ } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { return LDAP_INVALID_SYNTAX; - /* AVA is binary encoded, don't muck with it */ } else if( flags & SLAP_LDAPDN_PRETTY ) { transf = ad->ad_type->sat_syntax->ssyn_pretty; if( !transf ) { @@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) ava->la_value = bv; ava->la_flags |= LDAP_AVA_FREE_VALUE; } + /* reject empty values */ + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; + } } rc = LDAP_SUCCESS; diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index e386ef9..e143a7b 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -445,12 +445,19 @@ slap_modrdn2mods( mod_tmp->sml_values[1].bv_val = NULL; if( desc->ad_type->sat_equality->smr_normalize) { mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); - (void) (*desc->ad_type->sat_equality->smr_normalize)( + rs->sr_err = desc->ad_type->sat_equality->smr_normalize( SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, desc->ad_type->sat_syntax, desc->ad_type->sat_equality, &mod_tmp->sml_values[0], &mod_tmp->sml_nvalues[0], NULL ); + if (rs->sr_err != LDAP_SUCCESS) { + ch_free(mod_tmp->sml_nvalues); + ch_free(mod_tmp->sml_values[0].bv_val); + ch_free(mod_tmp->sml_values); + ch_free(mod_tmp); + goto done; + } mod_tmp->sml_nvalues[1].bv_val = NULL; } else { mod_tmp->sml_nvalues = NULL; diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 68e6d28..d2f4708 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -1732,8 +1732,9 @@ UTF8StringNormalize( ? LDAP_UTF8_APPROX : 0; val = UTF8bvnormalize( val, &tmp, flags, ctx ); + /* out of memory or syntax error, the former is unlikely */ if( val == NULL ) { - return LDAP_OTHER; + return LDAP_INVALID_SYNTAX; } /* collapse spaces (in place) */ -- 1.7.0.3