openldap-bugs

openldap-bugs@openldap.org

1 participants
21153 discussions

[Issue 10453] Security Vulnerability Report: Multiple CWE-22, CWE-416 and CWE-476 Issues Identified
by openldap-its＠openldap.org 17 Feb '26

17 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10453 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10445] New: memroy leak in get_mra
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10445 Issue ID: 10445 Summary: memroy leak in get_mra Product: OpenLDAP Version: 2.6.12 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kangyang126(a)gmail.com Target Milestone: --- # ASAN Leak Report: Extensible Matching Rule Assertion ## Component * **File:** `servers/slapd/mra.c` * **Function:** `get_mra` ## Issue Description **LeakSanitizer Error:** Memory leak detected when parsing a matching rule assertion (MRA). ```shell ==179518==ERROR: LeakSanitizer: detected memory leaks Direct leak of 58 byte(s) in 1 object(s) allocated from: #0 0x555555963614 in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3 #1 0x555555f57804 in ber_memalloc_x /src/openldap/libraries/liblber/memory.c:228:9 #2 0x555555b3a3a3 in slap_sl_malloc /src/openldap/servers/slapd/sl_malloc.c:302:12 #3 0x555555b2b465 in slap_bv2tmp_ad /src/openldap/servers/slapd/ad.c:808:4 #4 0x555555a0a2a5 in get_mra /src/openldap/servers/slapd/mra.c:151:18 #5 0x5555559ea994 in get_filter0 /src/openldap/servers/slapd/filter.c:286:9 #6 0x5555559baea5 in str2filter_x /src/openldap/servers/slapd/str2filter.c:65:7 #7 0x5555559bb1b7 in str2filter /src/openldap/servers/slapd/str2filter.c:83:9 #8 0x555555b61174 in authzPrettyNormal /src/openldap/servers/slapd/saslauthz.c:804:7 #9 0x555555b617db in authzPretty /src/openldap/servers/slapd/saslauthz.c:905:7 #10 0x555555a86b16 in ordered_value_pretty /src/openldap/servers/slapd/value.c:511:7 #11 0x555555b40939 in slap_mods_check /src/openldap/servers/slapd/modify.c:577:11 #12 0x555555b3efa1 in do_modify /src/openldap/servers/slapd/modify.c:165:15 #13 0x5555559e055d in connection_operation /src/openldap/servers/slapd/connection.c:1137:7 #14 0x5555559df327 in connection_read_thread /src/openldap/servers/slapd/connection.c:1289:14 #15 0x5555559a769a in LLVMFuzzerTestOneInput /src/fuzz_slapd.c:88:5 ``` The function `get_mra` allocates memory for the `MatchingRuleAssertion` structure and its members (such as `ma_desc` or `ma_value`). If a logical error occurs *after* these allocations (e.g., "matching rule not recognized" or "inappropriate matching"), the function previously returned an error code immediately without freeing the allocated memory. ## Fix Implemented a `return_error` label with cleanup logic. * Replaced direct `return` statements in error paths with `goto return_error`. * The `return_error` block calls `mra_free()` to release all resources allocated for the MRA before returning the error code. ## Diff ```diff diff --git a/servers/slapd/mra.c b/servers/slapd/mra.c index 2295c13..55adfc3 100644 --- a/servers/slapd/mra.c +++ b/servers/slapd/mra.c @@ -33,6 +33,8 @@ mra_free( MatchingRuleAssertion *mra, int freeit ) { + if ( mra == NULL ) return; + #ifdef LDAP_COMP_MATCH /* free component assertion */ if ( mra->ma_rule->smr_usage & SLAP_MR_COMPONENT && mra->ma_cf ) { @@ -158,7 +160,8 @@ get_mra( ma.ma_rule = mr_bvfind( &rule_text ); if( ma.ma_rule == NULL ) { *text = "matching rule not recognized"; - return LDAP_INAPPROPRIATE_MATCHING; + rc = LDAP_INAPPROPRIATE_MATCHING; + goto return_error; } } @@ -168,7 +171,8 @@ get_mra( */ if ( ma.ma_desc == NULL ) { *text = "no matching rule or type"; - return LDAP_INAPPROPRIATE_MATCHING; + rc = LDAP_INAPPROPRIATE_MATCHING; + goto return_error; } if ( ma.ma_desc->ad_type->sat_equality != NULL && @@ -180,14 +184,16 @@ get_mra( } else { *text = "no appropriate rule to use for type"; - return LDAP_INAPPROPRIATE_MATCHING; + rc = LDAP_INAPPROPRIATE_MATCHING; + goto return_error; } } if ( ma.ma_desc != NULL ) { if( !mr_usable_with_at( ma.ma_rule, ma.ma_desc->ad_type ) ) { *text = "matching rule use with this attribute not appropriate"; - return LDAP_INAPPROPRIATE_MATCHING; + rc = LDAP_INAPPROPRIATE_MATCHING; + goto return_error; } } @@ -200,18 +206,18 @@ get_mra( SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, &value, &ma.ma_value, text, op->o_tmpmemctx ); - if( rc != LDAP_SUCCESS ) return rc; + if( rc != LDAP_SUCCESS ) goto return_error; #ifdef LDAP_COMP_MATCH /* Check If this attribute is aliased */ if ( is_aliased_attribute && ma.ma_desc && ( aa = is_aliased_attribute ( ma.ma_desc ) ) ) { rc = get_aliased_filter ( op, &ma, aa, text ); - if ( rc != LDAP_SUCCESS ) return rc; + if ( rc != LDAP_SUCCESS ) goto return_error; } else if ( ma.ma_rule && ma.ma_rule->smr_usage & SLAP_MR_COMPONENT ) { /* Matching Rule for Component Matching */ rc = get_comp_filter( op, &ma.ma_value, &ma.ma_cf, text ); - if ( rc != LDAP_SUCCESS ) return rc; + if ( rc != LDAP_SUCCESS ) goto return_error; } #endif @@ -228,4 +234,8 @@ get_mra( } return LDAP_SUCCESS; + +return_error: + mra_free( op, &ma, 0 ); + return rc; } ``` ## Harness ``` #define _GNU_SOURCE /* For memfd_create */ #include "portable.h" #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/types.h> #include <signal.h> #include "slap.h" /* 1. Fix function declarations to match return types in OpenLDAP source code */ extern void slap_sl_mem_init( void ); extern int slapd_daemon_init( const char *urls ); extern int extops_init( void ); /* Returns int */ extern void lutil_passwd_init( void ); extern int slap_init( int mode, const char *name ); extern int read_config( const char *fname, const char *dname ); extern int connections_init( void ); /* Returns int */ extern int slap_startup( Backend *be ); void slapd_daemon_nothread( void ) {} extern int ldap_pvt_thread_initialize( void ); /* Returns int */ extern void* ldap_pvt_thread_pool_context( void ); extern void* connection_read_thread( void *ctx, void *arg ); extern void connection_closing( Connection *c, const char *why ); extern int connection_resched( Connection *c ); extern Connection* connection_init( int sfd, Listener *l, const char *authid, const char *dns, int flags, slap_ssf_t ssf, struct berval *authid_out ); extern ldap_pvt_thread_pool_t connection_pool; static Listener *global_listener = NULL; static struct berval authid_bv = {0, ""}; int LLVMFuzzerInitialize(int *argc, char ***argv) { signal(SIGPIPE, SIG_IGN); slap_debug = 0; slap_sl_mem_init(); if ( 0 != slapd_daemon_init("ldapi://%2Ftmp%2Ffuzz.sock") ) return 1; extops_init(); lutil_passwd_init(); if ( slap_init(SLAP_SERVER_MODE, "slapd-fuzz") ) return 2; read_config( NULL, NULL ); connections_init(); slap_startup(NULL); slapd_daemon_nothread(); ldap_pvt_thread_initialize(); global_listener = slapd_get_listeners()[0]; if (!global_listener) return 3; return 0; } #include <sys/socket.h> int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < 2 || Size > 65536) return 0; /* 2. Use socketpair to simulate socket read/write */ int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 0; if (write(sv[0], Data, Size) != (ssize_t)Size) { close(sv[0]); close(sv[1]); return 0; } /* Close write end so server receives EOF after reading data */ close(sv[0]); /* 3. Create connection (server uses sv[1]) */ Connection *c = connection_init(sv[1], global_listener, "fuzz", "IP=127.0.0.1", 0, 0, &authid_bv); if (!c) { close(sv[1]); return 0; } void* ctx = ldap_pvt_thread_pool_context(); /* Execute parsing logic */ connection_read_thread(ctx, (void*)(long)sv[1]); /* Wait for thread pool to complete all tasks to prevent background threads from accessing freed connection */ int active = 0, pending = 0; do { ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_PENDING, &pending); ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_ACTIVE, &active); if (active == 0 && pending == 0) break; ldap_pvt_thread_yield(); } while (1); /* 4. Thoroughly clean up manually, avoiding unstable macros * Directly manipulate queue pointers to ensure no 'error: use of undeclared identifier o_next' */ Operation *op; while ((op = LDAP_STAILQ_FIRST(&c->c_ops)) != NULL) { LDAP_STAILQ_REMOVE_HEAD(&c->c_ops, o_next); LDAP_STAILQ_NEXT(op, o_next) = NULL; slap_op_free(op, ctx); } LDAP_STAILQ_INIT(&c->c_ops); /* Close and reclaim Connection memory */ connection_closing(c, "fuzz complete"); connection_resched(c); /* ldap_pvt_thread_pool_resume(&connection_pool); */ return 0; } ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10449] New: memory leak in parseReadAttrs
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10449 Issue ID: 10449 Summary: memory leak in parseReadAttrs Product: OpenLDAP Version: 2.6.12 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kangyang126(a)gmail.com Target Milestone: --- # ASAN Leak Report: Pre-read / Post-read Control Attributes ## Component * **File:** `servers/slapd/controls.c` * **Function:** `parseReadAttrs` ## Issue Description **LeakSanitizer Error:** Memory leak detected in `AttributeName` array. ```plaintext ==202371==ERROR: LeakSanitizer: detected memory leaks Direct leak of 80 byte(s) in 1 object(s) allocated from: #0 0x555555963614 in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3 #1 0x555555f578d4 in ber_memalloc_x /src/openldap/libraries/liblber/memory.c:228:9 #2 0x555555f4c5e2 in ber_get_stringbvl /src/openldap/libraries/liblber/decode.c:421:14 #3 0x555555f4ac2f in ber_scanf /src/openldap/libraries/liblber/decode.c:815:9 #4 0x555555b150e4 in parseReadAttrs /src/openldap/servers/slapd/controls.c:1514:7 #5 0x555555b0d13c in slap_parse_ctrl /src/openldap/servers/slapd/controls.c:738:10 #6 0x555555b0e101 in get_ctrls2 /src/openldap/servers/slapd/controls.c:929:16 #7 0x555555a35c0e in do_modrdn /src/openldap/servers/slapd/modrdn.c:129:6 #8 0x5555559e055d in connection_operation /src/openldap/servers/slapd/connection.c:1137:7 #9 0x5555559df327 in connection_read_thread /src/openldap/servers/slapd/connection.c:1289:14 #10 0x5555559a769a in LLVMFuzzerTestOneInput /src/fuzz_slapd.c:88:5 ``` The function `parseReadAttrs` uses `ber_scanf` with the `M` format specifier to allocate an array of `AttributeName` structures. 1. **Memory Leak:** This array was not freed if the function encountered an error (e.g., critical control verification failure) after the allocation. 2. **Invalid Free:** Attempting to free `bv_val` strings inside the array caused an "attempting free on address which was not malloc()-ed" error, because these pointers refer to the internal `BerElement` buffer. 3. **Segmentation Fault:** Accessing the array to write a terminator without checking for `NULL` caused a crash on empty attribute lists. ## Fix * **Leak Fix:** Added comprehensive cleanup logic at the `done` label to free the `AttributeName` array if an error occurs. * **Logic Fix:** Refactored the loop to filter attributes without attempting to free the internal string pointers, avoiding the `Invalid Free` error. ## Diff ```diff diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 3d18345..3c90884 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -1476,7 +1476,7 @@ parseReadAttrs( LDAPControl *ctrl, int post ) { - ber_len_t siz, off, i; + ber_len_t siz, off, i, good_i = 0; BerElement *ber; AttributeName *an = NULL; @@ -1520,14 +1520,16 @@ parseReadAttrs( for ( i = 0; i < siz; i++ ) { const char *dummy = NULL; int rc; + struct berval name = an[i].an_name; an[i].an_desc = NULL; an[i].an_oc = NULL; an[i].an_flags = 0; - rc = slap_bv2ad( &an[i].an_name, &an[i].an_desc, &dummy ); + rc = slap_bv2ad( &name, &an[i].an_desc, &dummy ); if ( rc == LDAP_SUCCESS ) { - an[i].an_name = an[i].an_desc->ad_cname; - + an[good_i] = an[i]; + an[good_i].an_name = an[good_i].an_desc->ad_cname; + good_i++; } else { int j; static struct berval special_attrs[] = { @@ -1537,23 +1539,29 @@ parseReadAttrs( BER_BVNULL }; - /* deal with special attribute types */ for ( j = 0; !BER_BVISNULL( &special_attrs[ j ] ); j++ ) { - if ( bvmatch( &an[i].an_name, &special_attrs[ j ] ) ) { - an[i].an_name = special_attrs[ j ]; + if ( bvmatch( &name, &special_attrs[ j ] ) ) { + an[good_i] = an[i]; + an[good_i].an_name = special_attrs[ j ]; + good_i++; break; } } - if ( BER_BVISNULL( &special_attrs[ j ] ) && ctrl->ldctl_iscritical ) { - rs->sr_err = rc; - rs->sr_text = dummy ? dummy - : READMSG( post, "unknown attributeType" ); - goto done; + if ( BER_BVISNULL( &special_attrs[ j ] ) ) { + if ( ctrl->ldctl_iscritical ) { + rs->sr_err = rc; + rs->sr_text = dummy ? dummy + : READMSG( post, "unknown attributeType" ); + goto done; + } } } } + if ( an ) + BER_BVZERO( &an[good_i].an_name ); + if ( post ) { op->o_postread_attrs = an; op->o_postread = ctrl->ldctl_iscritical @@ -1568,6 +1576,9 @@ parseReadAttrs( done: (void) ber_free( ber, 1 ); + if ( rs->sr_err != LDAP_SUCCESS && an ) { + ber_memfree( an ); + } return rs->sr_err; } ``` ## Harness ``` #define _GNU_SOURCE /* For memfd_create */ #include "portable.h" #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/types.h> #include <signal.h> #include "slap.h" /* 1. Fix function declarations to match return types in OpenLDAP source code */ extern void slap_sl_mem_init( void ); extern int slapd_daemon_init( const char *urls ); extern int extops_init( void ); /* Returns int */ extern void lutil_passwd_init( void ); extern int slap_init( int mode, const char *name ); extern int read_config( const char *fname, const char *dname ); extern int connections_init( void ); /* Returns int */ extern int slap_startup( Backend *be ); void slapd_daemon_nothread( void ) {} extern int ldap_pvt_thread_initialize( void ); /* Returns int */ extern void* ldap_pvt_thread_pool_context( void ); extern void* connection_read_thread( void *ctx, void *arg ); extern void connection_closing( Connection *c, const char *why ); extern int connection_resched( Connection *c ); extern Connection* connection_init( int sfd, Listener *l, const char *authid, const char *dns, int flags, slap_ssf_t ssf, struct berval *authid_out ); extern ldap_pvt_thread_pool_t connection_pool; static Listener *global_listener = NULL; static struct berval authid_bv = {0, ""}; int LLVMFuzzerInitialize(int *argc, char ***argv) { signal(SIGPIPE, SIG_IGN); slap_debug = 0; slap_sl_mem_init(); if ( 0 != slapd_daemon_init("ldapi://%2Ftmp%2Ffuzz.sock") ) return 1; extops_init(); lutil_passwd_init(); if ( slap_init(SLAP_SERVER_MODE, "slapd-fuzz") ) return 2; read_config( NULL, NULL ); connections_init(); slap_startup(NULL); slapd_daemon_nothread(); ldap_pvt_thread_initialize(); global_listener = slapd_get_listeners()[0]; if (!global_listener) return 3; return 0; } #include <sys/socket.h> int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < 2 || Size > 65536) return 0; /* 2. Use socketpair to simulate socket read/write */ int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 0; if (write(sv[0], Data, Size) != (ssize_t)Size) { close(sv[0]); close(sv[1]); return 0; } /* Close write end so server receives EOF after reading data */ close(sv[0]); /* 3. Create connection (server uses sv[1]) */ Connection *c = connection_init(sv[1], global_listener, "fuzz", "IP=127.0.0.1", 0, 0, &authid_bv); if (!c) { close(sv[1]); return 0; } void* ctx = ldap_pvt_thread_pool_context(); /* Execute parsing logic */ connection_read_thread(ctx, (void*)(long)sv[1]); /* Wait for thread pool to complete all tasks to prevent background threads from accessing freed connection */ int active = 0, pending = 0; do { ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_PENDING, &pending); ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_ACTIVE, &active); if (active == 0 && pending == 0) break; ldap_pvt_thread_yield(); } while (1); /* 4. Thoroughly clean up manually, avoiding unstable macros * Directly manipulate queue pointers to ensure no 'error: use of undeclared identifier o_next' */ Operation *op; while ((op = LDAP_STAILQ_FIRST(&c->c_ops)) != NULL) { LDAP_STAILQ_REMOVE_HEAD(&c->c_ops, o_next); LDAP_STAILQ_NEXT(op, o_next) = NULL; slap_op_free(op, ctx); } LDAP_STAILQ_INIT(&c->c_ops); /* Close and reclaim Connection memory */ connection_closing(c, "fuzz complete"); connection_resched(c); /* ldap_pvt_thread_pool_resume(&connection_pool); */ return 0; } ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10451] New: Sporadic failures in test lloadd/test001
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10451 Issue ID: 10451 Summary: Sporadic failures in test lloadd/test001 Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- It seems the connection is made but lloadd never gets the memo so it doesn't proceed with setting up the rest. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10430] New: Heap Buffer Overflow in parse_whsp causes Out-of-Bounds Read
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10430 Issue ID: 10430 Summary: Heap Buffer Overflow in parse_whsp causes Out-of-Bounds Read Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: zesheng(a)tamu.edu Target Milestone: --- ## Summary A heap buffer overflow vulnerability in OpenLDAP's `parse_whsp()` function allows an attacker to trigger out-of-bounds memory reads when parsing malformed LDAP schema definitions, potentially leading to information disclosure or crashes. ## Root Cause The vulnerability exists in `libraries/libldap/schema.c` at line 1090. The `parse_whsp()` function iterates through a string checking for whitespace characters using `LDAP_SPACE()` macro, but does not verify that the pointer stays within the allocated buffer bounds. When parsing malformed schema strings that end unexpectedly, the function reads beyond the heap buffer. ### Vulnerable Code (schema.c:1086-1092) ```c /* Gobble optional whitespace */ static void parse_whsp(const char **sp) { while (LDAP_SPACE(**sp)) // BUG: no bounds check, can read past buffer (*sp)++; } ``` ### LDAP_SPACE Macro (ldap_pvt.h:255) ```c #define LDAP_SPACE(c) ((c) == ' ' || (c) == '\t' || (c) == '\n') ``` The macro checks for space/tab/newline but does NOT check for null terminator. If the heap memory immediately after the allocated buffer happens to contain whitespace bytes (0x20, 0x09, 0x0a), the function continues reading out of bounds. ## PoC ### Trigger file A crafted schema string (`poc`, 49 bytes) that triggers the overflow: ``` (13.5 NAME 'caseExactMatch' SYNTAX 'nooideithe1r. ``` ``` hexdump -C poc: 00000000 28 31 33 2e 35 20 4e 41 4d 45 20 27 63 61 73 65 |(13.5 NAME 'case| 00000010 45 78 61 63 74 4d 61 74 63 68 27 20 53 59 4e 54 |ExactMatch' SYNT| 00000020 41 58 20 27 6e 6f 6f 69 64 65 69 74 68 65 31 72 |AX 'nooideithe1r| 00000030 2e |.| ``` ### How to generate poc ```python # generate_poc.py data = b"(13.5 NAME 'caseExactMatch' SYNTAX 'nooideithe1r." with open("poc", "wb") as f: f.write(data) ``` --- ## Trigger Method 1: Direct API Call ```c // test_schema.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ldap.h> #include <ldap_schema.h> int main(int argc, char **argv) { FILE *f = fopen("poc", "rb"); fseek(f, 0, SEEK_END); long size = ftell(f); fseek(f, 0, SEEK_SET); char *input = malloc(size + 1); fread(input, 1, size, f); input[size] = '\0'; fclose(f); int code = 0; const char *errp = NULL; // This triggers the vulnerability LDAPAttributeType *at = ldap_str2attributetype(input, &code, &errp, LDAP_SCHEMA_ALLOW_ALL); if (at) { ldap_attributetype_free(at); } free(input); return 0; } ``` **Build and run:** ```bash # Build OpenLDAP with AddressSanitizer cd openldap ./configure CC=clang CFLAGS="-fsanitize=address -g" --without-tls make # Compile and run test clang -fsanitize=address -g -I include \ -L libraries/libldap/.libs -L libraries/liblber/.libs \ test_schema.c -o test_schema -lldap -llber \ -Wl,-rpath,libraries/libldap/.libs:libraries/liblber/.libs ./test_schema ``` **Output:** ``` ==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000000052 at pc 0x... bp 0x... sp 0x... READ of size 1 at 0x506000000052 thread T0 #0 0x... in parse_whsp libraries/libldap/schema.c:1090:9 #1 0x... in ldap_str2attributetype libraries/libldap/schema.c:2313:5 0x506000000052 is located 0 bytes after 50-byte region [0x506000000020,0x506000000052) allocated by thread T0 here: #0 0x... in malloc #1 0x... in main test_schema.c:... SUMMARY: AddressSanitizer: heap-buffer-overflow schema.c:1090:9 in parse_whsp ``` --- ## Trigger Method 2: Fuzzer ```c // fuzz_schema.c #include <stdint.h> #include <stddef.h> #include <stdlib.h> #include <string.h> #include <ldap.h> #include <ldap_schema.h> static const unsigned int flags[] = { LDAP_SCHEMA_ALLOW_NONE, LDAP_SCHEMA_ALLOW_NO_OID, LDAP_SCHEMA_ALLOW_QUOTED, LDAP_SCHEMA_ALLOW_DESCR, LDAP_SCHEMA_ALLOW_ALL, }; #define NUM_FLAGS (sizeof(flags) / sizeof(flags[0])) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size == 0 || size > 16384) return 0; char *input = (char *)malloc(size + 1); if (!input) return 0; memcpy(input, data, size); input[size] = '\0'; int code = 0; const char *errp = NULL; // Test ldap_str2attributetype with different flags for (size_t i = 0; i < NUM_FLAGS; i++) { code = 0; errp = NULL; LDAPAttributeType *at = ldap_str2attributetype(input, &code, &errp, flags[i]); if (at) { ldap_attributetype_free(at); } } // Test ldap_str2objectclass for (size_t i = 0; i < NUM_FLAGS; i++) { code = 0; errp = NULL; LDAPObjectClass *oc = ldap_str2objectclass(input, &code, &errp, flags[i]); if (oc) { ldap_objectclass_free(oc); } } free(input); return 0; } ``` **Build and run:** ```bash clang -fsanitize=fuzzer,address -g -I include \ -L libraries/libldap/.libs -L libraries/liblber/.libs \ fuzz_schema.c -o fuzz_schema -lldap -llber \ -Wl,-rpath,libraries/libldap/.libs:libraries/liblber/.libs mkdir corpus && cp poc corpus/ ./fuzz_schema corpus/ ``` --- ## Impact | Aspect | Details | |--------|---------| | **Type** | Out-of-Bounds Read / Information Disclosure | | **Severity** | High | | **Attack Vector** | Malicious schema definition string | | **Affected Components** | `parse_whsp()`, `ldap_str2attributetype()`, `ldap_str2objectclass()`, libldap | | **Affected Applications** | Any application using libldap to parse LDAP schema definitions | | **CWE** | CWE-125 (Out-of-bounds Read) | --- ## Suggested Fix Add bounds checking in `parse_whsp()` to ensure it doesn't read past the null terminator: ```c static void parse_whsp(const char **sp) { while (**sp && LDAP_SPACE(**sp)) // Add null check (*sp)++; } ``` Note: `LDAP_SPACE('\0')` is false (0x00 is not space/tab/newline), so the issue only occurs when adjacent heap memory contains whitespace bytes. However, adding an explicit null check makes the code more robust and clearly documents the termination condition. -- You are receiving this mail because: You are on the CC list for the issue.

1 14

[Issue 10440] New: memberof stop working on replication slaves after upgrade from 2.6.10
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10440 Issue ID: 10440 Summary: memberof stop working on replication slaves after upgrade from 2.6.10 Product: OpenLDAP Version: 2.6.12 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: statoon54(a)gmail.com Target Milestone: --- Hi, We encountered a problem yesterday when upgrading to OpenLDAP version 2.6.12.1 from 2.6.10.1. The memberOf overlay failed to delete or add memberOf on the replica servers. Replication is functioning correctly, memberOf on master works too, but adding or removing a group member from the master no longer triggers this change on the slave servers. I think there's a regression in this version when replication occurs. Standard configuration overlay memberof memberof-refint true memberof-dangling ignore # sortVals sortvals member # multivalued attributes stockage improvement multival member 1000,100 # # Sync prov Replica # # syncrepl directive syncrepl rid=001 provider=""xxxxxx" bindmethod=simple binddn="xxxxxx" credentials="xxxxx" searchbase="xxxxx" scope="sub" attrs="*,+" schemachecking=off type=refreshAndPersist retry="5 12 60 10 300 24 3600 +" timeout=60 network-timeout=0 keepalive=0:0:0 updateref xxxxxx --- Some trace show a 122 failed on memberof_value_modify if i add or delete a member. (works great since 2.6.10 on slaves) févr. 04 11:38:04 ldap-v4-slave-1-dev slapd[573178]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) csn=20260204103803.030751Z#000000#000#000000 tid 0x7f7a1d3fd6c0 févr. 04 11:38:04 ldap-v4-slave-1-dev slapd[573178]: syncrepl_entry: rid=001 be_search (0) févr. 04 11:38:04 ldap-v4-slave-1-dev slapd[573178]: syncrepl_entry: rid=001 cn=APP:EBOUTIQUE,ou=groups,dc=exemple,dc=fr févr. 04 11:38:04 ldap-v4-slave-1-dev slapd[573178]: slap_queue_csn: queueing 0x7f7a1443a5a0 20260204103803.030751Z#000000#000#000000 févr. 04 11:38:10 ldap-v4-slave-1-dev slapd[573178]: conn=-1 op=0: memberof_value_modify DN="uid=269015,ou=accounts,dc=exemple,dc=fr" delete memberOf="cn=APP:EBOUTIQUE,ou=groups,dc=exemple,dc=fr" failed err=122 févr. 04 11:38:10 ldap-v4-slave-1-dev slapd[573178]: slap_graduate_commit_csn: removing 0x7f7a1443a5a0 20260204103803.030751Z#000000#000#000000 févr. 04 11:38:10 ldap-v4-slave-1-dev slapd[573178]: syncrepl_entry: rid=001 be_modify cn=APP:EBOUTIQUE,ou=groups,dc=exemple,dc=fr (0) févr. 04 11:38:10 ldap-v4-slave-1-dev slapd[573178]: slap_queue_csn: queueing 0x7f7a14439de0 20260204103803.030751Z#000000#000#000000 févr. 04 11:38:10 ldap-v4-slave-1-dev slapd[573178]: slap_graduate_commit_csn: removing 0x7f7a14439de0 20260204103803.030751Z#000000#000#000000 -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10427] New: ldapsearch(1) incorrectly documents OID-based search option
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10427 Issue ID: 10427 Summary: ldapsearch(1) incorrectly documents OID-based search option Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: michael.osipov(a)innomotics.com Target Milestone: --- Created attachment 1109 --> https://bugs.openldap.org/attachment.cgi?id=1109&action=edit Git-formatted patch Docs/manpage for -E say: [!]<oid>[=:<value>|::<b64value>] But it does not work: > $ ldapsearch -Y GSSAPI -O maxssf=1 -E '!1.2.840.113556.1.4.1340::MAYSBAAAAAI=' -o ldif-wrap=no -H ldap://innomotics.net "(objectClass=dnsNode1)" Invalid search extension name: 1.2.840.113556.1.4.1340::MAYSBAAAAAI It is '=::': > $ ldapsearch -Y GSSAPI -O maxssf=1 -E '!1.2.840.113556.1.4.1340=::MAYSBAAAAAI=' -o ldif-wrap=no -H ldap://innomotics.net "(objectClass=dnsNode1)" > SASL/GSSAPI authentication started Attached is a simple patch to fix it. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10448] New: Memory leak in syncprov_parseCtrl
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10448 Issue ID: 10448 Summary: Memory leak in syncprov_parseCtrl Product: OpenLDAP Version: 2.6.12 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: kangyang126(a)gmail.com Target Milestone: --- # ASAN Leak Report: Sync Provider Control ## Component * **File:** `servers/slapd/overlays/syncprov.c` * **Function:** `syncprov_parseCtrl` ## Issue Description **LeakSanitizer Error:** Memory leak of `sync_control` structure. ```plaintext ==266290==ERROR: LeakSanitizer: detected memory leaks Direct leak of 80 byte(s) in 1 object(s) allocated from: #0 0x555555964614 in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3 #1 0x555555f58a04 in ber_memalloc_x /src/openldap/libraries/liblber/memory.c:228:9 #2 0x555555a7cb06 in ch_malloc /src/openldap/servers/slapd/ch_malloc.c:54:23 #3 0x555555b3ba6c in slap_sl_calloc /src/openldap/servers/slapd/sl_malloc.c:401:12 #4 0x555555ca1734 in syncprov_parseCtrl /src/openldap/servers/slapd/overlays/syncprov.c:4333:7 #5 0x555555b0e13c in slap_parse_ctrl /src/openldap/servers/slapd/controls.c:738:10 #6 0x555555b0f101 in get_ctrls2 /src/openldap/servers/slapd/controls.c:929:16 #7 0x555555a30eae in do_search /src/openldap/servers/slapd/search.c:194:6 #8 0x5555559e155d in connection_operation /src/openldap/servers/slapd/connection.c:1137:7 #9 0x5555559e0327 in connection_read_thread /src/openldap/servers/slapd/connection.c:1289:14 #10 0x5555559a869a in LLVMFuzzerTestOneInput /src/fuzz_slapd.c:88:5 ``` The `syncprov` overlay allocates a specific `sync_control` structure and attaches it to the operation's control list (`op->o_controls`) when parsing the `LDAP_CONTROL_SYNC`. * **Leak:** The core server's cleanup routine (`slap_free_ctrls`) is unaware of this overlay-specific structure. If the operation is abandoned or fails (e.g., during parsing of subsequent controls), the `sync_control` and its internal allocations (context CSNs, session IDs) are never freed. ## Fix * **Cleanup Callback:** Defined a new callback function `syncprov_ctrl_cleanup` that properly frees the `sync_control` structure. * **Registration:** Updated `syncprov_parseCtrl` to register this callback (`op->o_callback`) immediately after allocating the control. This ensures `slap_cleanup_play` invokes the cleanup routine during operation teardown, preventing the leak. ## Diff ```diff diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c index 042d742..7257f79 100644 --- a/servers/slapd/overlays/syncprov.c +++ b/servers/slapd/overlays/syncprov.c @@ -4246,6 +4246,26 @@ syncprov_db_destroy( return 0; } +static int +syncprov_ctrl_cleanup( Operation *op, SlapReply *rs ) +{ + if ( op->o_controls[slap_cids.sc_LDAPsync] ) { + sync_control *sr = op->o_controls[slap_cids.sc_LDAPsync]; + op->o_controls[slap_cids.sc_LDAPsync] = NULL; + if ( sr->sr_state.ctxcsn ) { + ber_bvarray_free_x( sr->sr_state.ctxcsn, op->o_tmpmemctx ); + } + if ( sr->sr_state.sids ) { + op->o_tmpfree( sr->sr_state.sids, op->o_tmpmemctx ); + } + if ( sr->sr_state.octet_str.bv_val ) { + op->o_tmpfree( sr->sr_state.octet_str.bv_val, op->o_tmpmemctx ); + } + op->o_tmpfree( sr, op->o_tmpmemctx ); + } + return slap_freeself_cb( op, rs ); +} + static int syncprov_parseCtrl ( Operation *op, SlapReply *rs, @@ -4353,6 +4373,13 @@ static int syncprov_parseCtrl ( op->o_sync_mode |= mode; /* o_sync_mode shares o_sync */ + { + slap_callback *cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx ); + cb->sc_cleanup = syncprov_ctrl_cleanup; + cb->sc_next = op->o_callback; + op->o_callback = cb; + } + return LDAP_SUCCESS; } ``` ## Harness ``` #define _GNU_SOURCE /* For memfd_create */ #include "portable.h" #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/types.h> #include <signal.h> #include "slap.h" /* 1. Fix function declarations to match return types in OpenLDAP source code */ extern void slap_sl_mem_init( void ); extern int slapd_daemon_init( const char *urls ); extern int extops_init( void ); /* Returns int */ extern void lutil_passwd_init( void ); extern int slap_init( int mode, const char *name ); extern int read_config( const char *fname, const char *dname ); extern int connections_init( void ); /* Returns int */ extern int slap_startup( Backend *be ); void slapd_daemon_nothread( void ) {} extern int ldap_pvt_thread_initialize( void ); /* Returns int */ extern void* ldap_pvt_thread_pool_context( void ); extern void* connection_read_thread( void *ctx, void *arg ); extern void connection_closing( Connection *c, const char *why ); extern int connection_resched( Connection *c ); extern Connection* connection_init( int sfd, Listener *l, const char *authid, const char *dns, int flags, slap_ssf_t ssf, struct berval *authid_out ); extern ldap_pvt_thread_pool_t connection_pool; static Listener *global_listener = NULL; static struct berval authid_bv = {0, ""}; int LLVMFuzzerInitialize(int *argc, char ***argv) { signal(SIGPIPE, SIG_IGN); slap_debug = 0; slap_sl_mem_init(); if ( 0 != slapd_daemon_init("ldapi://%2Ftmp%2Ffuzz.sock") ) return 1; extops_init(); lutil_passwd_init(); if ( slap_init(SLAP_SERVER_MODE, "slapd-fuzz") ) return 2; read_config( NULL, NULL ); connections_init(); slap_startup(NULL); slapd_daemon_nothread(); ldap_pvt_thread_initialize(); global_listener = slapd_get_listeners()[0]; if (!global_listener) return 3; return 0; } #include <sys/socket.h> int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < 2 || Size > 65536) return 0; /* 2. Use socketpair to simulate socket read/write */ int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 0; if (write(sv[0], Data, Size) != (ssize_t)Size) { close(sv[0]); close(sv[1]); return 0; } /* Close write end so server receives EOF after reading data */ close(sv[0]); /* 3. Create connection (server uses sv[1]) */ Connection *c = connection_init(sv[1], global_listener, "fuzz", "IP=127.0.0.1", 0, 0, &authid_bv); if (!c) { close(sv[1]); return 0; } void* ctx = ldap_pvt_thread_pool_context(); /* Execute parsing logic */ connection_read_thread(ctx, (void*)(long)sv[1]); /* Wait for thread pool to complete all tasks to prevent background threads from accessing freed connection */ int active = 0, pending = 0; do { ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_PENDING, &pending); ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_ACTIVE, &active); if (active == 0 && pending == 0) break; ldap_pvt_thread_yield(); } while (1); /* 4. Thoroughly clean up manually, avoiding unstable macros * Directly manipulate queue pointers to ensure no 'error: use of undeclared identifier o_next' */ Operation *op; while ((op = LDAP_STAILQ_FIRST(&c->c_ops)) != NULL) { LDAP_STAILQ_REMOVE_HEAD(&c->c_ops, o_next); LDAP_STAILQ_NEXT(op, o_next) = NULL; slap_op_free(op, ctx); } LDAP_STAILQ_INIT(&c->c_ops); /* Close and reclaim Connection memory */ connection_closing(c, "fuzz complete"); connection_resched(c); /* ldap_pvt_thread_pool_resume(&connection_pool); */ return 0; } ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10450] New: memory leak in parseAssert
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10450 Issue ID: 10450 Summary: memory leak in parseAssert Product: OpenLDAP Version: 2.6.12 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kangyang126(a)gmail.com Target Milestone: --- # Memory Leak Fix: Control Parsing Error Handling ## Summary Fixed a memory leak in LDAP control parsing caused by improper error handling in `parseAssert` and `parseValuesReturnFilter` functions. The issue resulted in double response sending and disrupted the normal resource cleanup flow. --- ## Problem Description ### Memory Leak Details - **Location**: `servers/slapd/controls.c` - **Affected Functions**: `parseAssert()`, `parseValuesReturnFilter()` - **Leak Size**: 24 bytes per occurrence (Filter structure) - **Trigger**: Control parsing errors or incomplete operation cleanup ### Stack Trace ``` Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 malloc #1 ber_memalloc_x /src/openldap/libraries/liblber/memory.c:228 #2 ch_malloc /src/openldap/servers/slapd/ch_malloc.c:54 #3 get_filter0 /src/openldap/servers/slapd/filter.c:312 #4 get_filter_list /src/openldap/servers/slapd/filter.c:350 #5 get_filter0 /src/openldap/servers/slapd/filter.c:244 #6 get_filter_list /src/openldap/servers/slapd/filter.c:350 #7 get_filter0 /src/openldap/servers/slapd/filter.c:231 #8 parseAssert /src/openldap/servers/slapd/controls.c:1435 #9 slap_parse_ctrl /src/openldap/servers/slapd/controls.c:738 #10 get_ctrls2 /src/openldap/servers/slapd/controls.c:929 #11 do_search /src/openldap/servers/slapd/search.c:194 #12 connection_operation /src/openldap/servers/slapd/connection.c:1137 #13 connection_read_thread /src/openldap/servers/slapd/connection.c:1289 ``` --- ## Root Cause Analysis ### Architectural Issue Control parser functions were violating the separation of concerns by: 1. **Sending LDAP responses directly** instead of returning error codes 2. **Manually freeing resources** in error paths instead of relying on cleanup infrastructure 3. **Breaking the normal cleanup flow** established by `slap_op_free()` → `slap_free_ctrls()` ### Code Flow Analysis #### Before Fix - Incorrect Flow: ``` 1. get_ctrls2() calls slap_parse_ctrl() 2. slap_parse_ctrl() calls parseAssert() 3. parseAssert() calls get_filter() which allocates Filter 4. get_filter() returns error 5. parseAssert() sends LDAP response ← FIRST SEND (wrong!) 6. parseAssert() frees op->o_assertion ← Manual cleanup (wrong!) 7. parseAssert() returns error to slap_parse_ctrl() 8. slap_parse_ctrl() returns error to get_ctrls2() 9. get_ctrls2() goes to return_results: 10. get_ctrls2() sends LDAP response ← SECOND SEND (duplicate!) 11. Operation cleanup may or may not happen 12. If cleanup fails → MEMORY LEAK ``` #### After Fix - Correct Flow: ``` 1. get_ctrls2() calls slap_parse_ctrl() 2. slap_parse_ctrl() calls parseAssert() 3. parseAssert() calls get_filter() which allocates Filter 4. get_filter() returns error 5. parseAssert() returns error (no send, no cleanup) 6. slap_parse_ctrl() returns error to get_ctrls2() 7. get_ctrls2() goes to return_results: 8. get_ctrls2() sends LDAP response ← SINGLE SEND (correct!) 9. Eventually slap_op_free() is called 10. slap_op_free() calls slap_free_ctrls() 11. slap_free_ctrls() properly frees all resources 12. No memory leak ``` --- ## The Fix ### Files Modified - `servers/slapd/controls.c` ### Changes Made #### 1. parseAssert() - Lines 1435-1451 **Removed:** ```c if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { rs->sr_err = LDAP_PROTOCOL_ERROR; send_ldap_disconnect( op, rs ); rs->sr_err = SLAPD_DISCONNECT; } else { send_ldap_result( op, rs ); } if( op->o_assertion != NULL ) { filter_free_x( op, op->o_assertion, 1 ); op->o_assertion = NULL; } return rs->sr_err; } ``` **Replaced with:** ```c if( rs->sr_err != LDAP_SUCCESS ) { return rs->sr_err; } ``` #### 2. parseValuesReturnFilter() - Lines 1630-1647 **Removed:** ```c if( rs->sr_err != LDAP_SUCCESS ) { if( rs->sr_err == SLAPD_DISCONNECT ) { rs->sr_err = LDAP_PROTOCOL_ERROR; send_ldap_disconnect( op, rs ); rs->sr_err = SLAPD_DISCONNECT; } else { send_ldap_result( op, rs ); } if( op->o_vrFilter != NULL) { vrFilter_free( op, op->o_vrFilter ); op->o_vrFilter = NULL; } } ``` **Replaced with:** ```c if( rs->sr_err != LDAP_SUCCESS ) { return rs->sr_err; } ``` --- ## Technical Details ### Cleanup Infrastructure The proper cleanup is handled by: 1. **slap_op_free()** (`servers/slapd/operation.c:80`) - Called when operations are freed from connection queue - Invokes `slap_free_ctrls(op, op->o_ctrls)` at line 102 2. **slap_free_ctrls()** (`servers/slapd/controls.c:608`) - Checks `if(ctrls == op->o_ctrls)` to ensure cleaning operation controls - Frees `op->o_assertion` via `filter_free_x()` (lines 615-617) - Frees `op->o_vrFilter` via `vrFilter_free()` (lines 619-621) - Handles NULL checks properly, safe for partial parsing ## Harness ``` #define _GNU_SOURCE /* For memfd_create */ #include "portable.h" #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/types.h> #include <signal.h> #include "slap.h" /* 1. Fix function declarations to match return types in OpenLDAP source code */ extern void slap_sl_mem_init( void ); extern int slapd_daemon_init( const char *urls ); extern int extops_init( void ); /* Returns int */ extern void lutil_passwd_init( void ); extern int slap_init( int mode, const char *name ); extern int read_config( const char *fname, const char *dname ); extern int connections_init( void ); /* Returns int */ extern int slap_startup( Backend *be ); void slapd_daemon_nothread( void ) {} extern int ldap_pvt_thread_initialize( void ); /* Returns int */ extern void* ldap_pvt_thread_pool_context( void ); extern void* connection_read_thread( void *ctx, void *arg ); extern void connection_closing( Connection *c, const char *why ); extern int connection_resched( Connection *c ); extern Connection* connection_init( int sfd, Listener *l, const char *authid, const char *dns, int flags, slap_ssf_t ssf, struct berval *authid_out ); extern ldap_pvt_thread_pool_t connection_pool; static Listener *global_listener = NULL; static struct berval authid_bv = {0, ""}; int LLVMFuzzerInitialize(int *argc, char ***argv) { signal(SIGPIPE, SIG_IGN); slap_debug = 0; slap_sl_mem_init(); if ( 0 != slapd_daemon_init("ldapi://%2Ftmp%2Ffuzz.sock") ) return 1; extops_init(); lutil_passwd_init(); if ( slap_init(SLAP_SERVER_MODE, "slapd-fuzz") ) return 2; read_config( NULL, NULL ); connections_init(); slap_startup(NULL); slapd_daemon_nothread(); ldap_pvt_thread_initialize(); global_listener = slapd_get_listeners()[0]; if (!global_listener) return 3; return 0; } #include <sys/socket.h> int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < 2 || Size > 65536) return 0; /* 2. Use socketpair to simulate socket read/write */ int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 0; if (write(sv[0], Data, Size) != (ssize_t)Size) { close(sv[0]); close(sv[1]); return 0; } /* Close write end so server receives EOF after reading data */ close(sv[0]); /* 3. Create connection (server uses sv[1]) */ Connection *c = connection_init(sv[1], global_listener, "fuzz", "IP=127.0.0.1", 0, 0, &authid_bv); if (!c) { close(sv[1]); return 0; } void* ctx = ldap_pvt_thread_pool_context(); /* Execute parsing logic */ connection_read_thread(ctx, (void*)(long)sv[1]); /* Wait for thread pool to complete all tasks to prevent background threads from accessing freed connection */ int active = 0, pending = 0; do { ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_PENDING, &pending); ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_ACTIVE, &active); if (active == 0 && pending == 0) break; ldap_pvt_thread_yield(); } while (1); /* 4. Thoroughly clean up manually, avoiding unstable macros * Directly manipulate queue pointers to ensure no 'error: use of undeclared identifier o_next' */ Operation *op; while ((op = LDAP_STAILQ_FIRST(&c->c_ops)) != NULL) { LDAP_STAILQ_REMOVE_HEAD(&c->c_ops, o_next); LDAP_STAILQ_NEXT(op, o_next) = NULL; slap_op_free(op, ctx); } LDAP_STAILQ_INIT(&c->c_ops); /* Close and reclaim Connection memory */ connection_closing(c, "fuzz complete"); connection_resched(c); /* ldap_pvt_thread_pool_resume(&connection_pool); */ return 0; } ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 10447] New: memory leak in the LDAP chaining behavior control parser (`ldap_chain_parse_ctrl`)
by openldap-its＠openldap.org 16 Feb '26

16 Feb '26

https://bugs.openldap.org/show_bug.cgi?id=10447 Issue ID: 10447 Summary: memory leak in the LDAP chaining behavior control parser (`ldap_chain_parse_ctrl`) Product: OpenLDAP Version: 2.6.12 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kangyang126(a)gmail.com Target Milestone: --- # Memory Leak Fix Report: LDAP Chain Control Parser ## Executive Summary Fixed a memory leak in the LDAP chaining behavior control parser (`ldap_chain_parse_ctrl`) that was leaking 80 bytes per failed control parsing operation. The leak was detected by LeakSanitizer during fuzzing operations. ## Issue Details **File**: `servers/slapd/back-ldap/chain.c` **Function**: `ldap_chain_parse_ctrl` ## Root Cause Analysis The `ldap_chain_parse_ctrl` function allocates a BER (Basic Encoding Rules) structure at line 2222: ```c ber = ber_init( &ctrl->ldctl_value ); ``` This allocation is properly freed at the end of the function (line 2303) in the success path: ```c (void) ber_free( ber, 1 ); ``` However, the function contains **five error handling paths** that return `LDAP_PROTOCOL_ERROR` before reaching the cleanup code, causing the BER structure to leak in these failure scenarios: 1. **Invalid resolveBehavior tag** (line 2231-2235) 2. **Unknown resolveBehavior value** (line 2254-2258) 3. **continuationBehavior decoding error** (line 2263-2267) 4. **Unknown continuationBehavior value** (line 2291-2295) 5. **Final sequence parsing error** (line 2298-2302) ## LeakSanitizer Stack Trace ``` ==76274==ERROR: LeakSanitizer: detected memory leaks Direct leak of 80 byte(s) in 1 object(s) allocated from: #0 0x55dd3756d7d9 in calloc #1 0x55dd37b62198 in ber_memcalloc_x #2 0x55dd37b62198 in ber_memcalloc #3 0x55dd37b5def2 in ber_alloc_t #4 0x55dd37b5def2 in ber_init #5 0x55dd37a14e97 in ldap_chain_parse_ctrl (chain.c:2222) #6 0x55dd3771714c in slap_parse_ctrl #7 0x55dd37718111 in get_ctrls2 #8 0x55dd37752c26 in do_add ``` ## Solution Implemented Added `ber_free( ber, 1 );` before each early return statement to ensure proper cleanup in all code paths: ### Fix 1: resolveBehavior decoding error (line 2232) ```diff diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index a789e7a..8fdd7a5 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -2229,6 +2229,7 @@ ldap_chain_parse_ctrl( /* FIXME: since the whole SEQUENCE is optional, * should we accept no enumerations at all? */ if ( tag != LBER_ENUMERATED ) { + ber_free( ber, 1 ); rs->sr_text = "Chaining behavior control: resolveBehavior decoding error"; return LDAP_PROTOCOL_ERROR; } @@ -2251,6 +2252,7 @@ ldap_chain_parse_ctrl( break; default: + ber_free( ber, 1 ); rs->sr_text = "Chaining behavior control: unknown resolveBehavior"; return LDAP_PROTOCOL_ERROR; } @@ -2259,6 +2261,7 @@ ldap_chain_parse_ctrl( if ( tag == LBER_ENUMERATED ) { tag = ber_scanf( ber, "e", &behavior ); if ( tag == LBER_ERROR ) { + ber_free( ber, 1 ); rs->sr_text = "Chaining behavior control: continuationBehavior decoding error"; return LDAP_PROTOCOL_ERROR; } @@ -2286,12 +2289,14 @@ ldap_chain_parse_ctrl( break; default: + ber_free( ber, 1 ); rs->sr_text = "Chaining behavior control: unknown continuationBehavior"; return LDAP_PROTOCOL_ERROR; } } if ( ( ber_scanf( ber, /* { */ "}") ) == LBER_ERROR ) { + ber_free( ber, 1 ); rs->sr_text = "Chaining behavior control: decoding error"; return LDAP_PROTOCOL_ERROR; } ``` ## Harness ``` #define _GNU_SOURCE /* For memfd_create */ #include "portable.h" #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/types.h> #include <signal.h> #include "slap.h" /* 1. Fix function declarations to match return types in OpenLDAP source code */ extern void slap_sl_mem_init( void ); extern int slapd_daemon_init( const char *urls ); extern int extops_init( void ); /* Returns int */ extern void lutil_passwd_init( void ); extern int slap_init( int mode, const char *name ); extern int read_config( const char *fname, const char *dname ); extern int connections_init( void ); /* Returns int */ extern int slap_startup( Backend *be ); void slapd_daemon_nothread( void ) {} extern int ldap_pvt_thread_initialize( void ); /* Returns int */ extern void* ldap_pvt_thread_pool_context( void ); extern void* connection_read_thread( void *ctx, void *arg ); extern void connection_closing( Connection *c, const char *why ); extern int connection_resched( Connection *c ); extern Connection* connection_init( int sfd, Listener *l, const char *authid, const char *dns, int flags, slap_ssf_t ssf, struct berval *authid_out ); extern ldap_pvt_thread_pool_t connection_pool; static Listener *global_listener = NULL; static struct berval authid_bv = {0, ""}; int LLVMFuzzerInitialize(int *argc, char ***argv) { signal(SIGPIPE, SIG_IGN); slap_debug = 0; slap_sl_mem_init(); if ( 0 != slapd_daemon_init("ldapi://%2Ftmp%2Ffuzz.sock") ) return 1; extops_init(); lutil_passwd_init(); if ( slap_init(SLAP_SERVER_MODE, "slapd-fuzz") ) return 2; read_config( NULL, NULL ); connections_init(); slap_startup(NULL); slapd_daemon_nothread(); ldap_pvt_thread_initialize(); global_listener = slapd_get_listeners()[0]; if (!global_listener) return 3; return 0; } #include <sys/socket.h> int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < 2 || Size > 65536) return 0; /* 2. Use socketpair to simulate socket read/write */ int sv[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 0; if (write(sv[0], Data, Size) != (ssize_t)Size) { close(sv[0]); close(sv[1]); return 0; } /* Close write end so server receives EOF after reading data */ close(sv[0]); /* 3. Create connection (server uses sv[1]) */ Connection *c = connection_init(sv[1], global_listener, "fuzz", "IP=127.0.0.1", 0, 0, &authid_bv); if (!c) { close(sv[1]); return 0; } void* ctx = ldap_pvt_thread_pool_context(); /* Execute parsing logic */ connection_read_thread(ctx, (void*)(long)sv[1]); /* Wait for thread pool to complete all tasks to prevent background threads from accessing freed connection */ int active = 0, pending = 0; do { ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_PENDING, &pending); ldap_pvt_thread_pool_query(&connection_pool, LDAP_PVT_THREAD_POOL_PARAM_ACTIVE, &active); if (active == 0 && pending == 0) break; ldap_pvt_thread_yield(); } while (1); /* 4. Thoroughly clean up manually, avoiding unstable macros * Directly manipulate queue pointers to ensure no 'error: use of undeclared identifier o_next' */ Operation *op; while ((op = LDAP_STAILQ_FIRST(&c->c_ops)) != NULL) { LDAP_STAILQ_REMOVE_HEAD(&c->c_ops, o_next); LDAP_STAILQ_NEXT(op, o_next) = NULL; slap_op_free(op, ctx); } LDAP_STAILQ_INIT(&c->c_ops); /* Close and reclaim Connection memory */ connection_closing(c, "fuzz complete"); connection_resched(c); /* ldap_pvt_thread_pool_resume(&connection_pool); */ return 0; } ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 4

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs