https://bugs.openldap.org/show_bug.cgi?id=10342
Issue ID: 10342
Summary: Potential Memory Leak in function mdb_txn_begin
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: alexguo1023(a)gmail.com
Target Milestone: ---
Created attachment 1069
--> https://bugs.openldap.org/attachment.cgi?id=1069&action=edit
Free txn->mt_u.dirty_list before freeing txn
The function `mdb_txn_begin` allocates the dirty list via
```c
txn->mt_u.dirty_list = malloc(sizeof(MDB_ID2) * MDB_IDL_UM_SIZE);
```
Later, when `txn != env->me_txn0`, it calls
```c
free(txn);
```
without first freeing `txn->mt_u.dirty_list`. This orphaned allocation leads to
a memory leak.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10340
Issue ID: 10340
Summary: Potential Buffer Overflow in mdb_rebalance
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: alexguo1023(a)gmail.com
Target Milestone: ---
Created attachment 1067
--> https://bugs.openldap.org/attachment.cgi?id=1067&action=edit
Add an early return when `mc->mc_top == 0`
In `mdb_rebalance`, we do:
```c
int ptop = mc->mc_top - 1;
node = mc->mc_pg[ptop];
```
However, `mc->mc_top` defaults to 0 in many contexts, so `ptop` can become
`-1`. Indexing `mc->mc_pg[-1]` causes invalid memory access. Elsewhere this is
handled by checking `mc->mc_top > 0` before decrementing.
To fix this, we add an early return when `mc->mc_top == 0`. A root page (or one
without a parent) doesn’t need rebalancing, so this guard prevents `ptop` from
ever being negative and eliminates the out-of-bounds access.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10341
Issue ID: 10341
Summary: Two potential buffer overruns in function
mdb_cmp_cint.
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: alexguo1023(a)gmail.com
Target Milestone: ---
Created attachment 1068
--> https://bugs.openldap.org/attachment.cgi?id=1068&action=edit
Patch: Fix buffer overrun in function mdb_cmp_cint
We found two potential bugs in `mdb_cmp_cint`’s backward‐scan loop:
```c
u = (unsigned short *)((char *)a->mv_data + a->mv_size);
c = (unsigned short *)((char *)b->mv_data + a->mv_size);
do {
x = *--u - *--c;
} while (!x && u > (unsigned short *)a->mv_data);
```
1. **Underflow when `a->mv_size == 0`**
If `a->mv_size` is zero, `u` is initialized to point one past the end of the
zero‐length buffer. The first `--u` then moves it before `a->mv_data`, and the
subsequent dereference is undefined. The original API allows lengths from 0 to
`0xFFFFFFFF`, so a zero length is possible can could lead to pointer underflow
here.
2. **Overflow of `b->mv_data` when `b->mv_size < a->mv_size`**
The code uses `a->mv_size` to advance both `u` and `c`, and only
bounds‐checks `u`. If `b->mv_size` is smaller than `a->mv_size`, `c` may run
past the end of its buffer before the loop terminates, causing a buffer
overrun.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=6083
--- Comment #6 from Howard Chu <hyc(a)openldap.org> ---
(In reply to Heiko Zelt from comment #4)
> PS: and I would like to check, if a password is compromised. I already have
> an external checker for this. It just needs an interface to OpenLDAP.
> Information about compromised passwords and it's importance can be found at
> https://haveibeenpwned.com/
To be clear - you should write your own pwdCheckModule that interfaces to
whatever you want to talk to.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10353
Issue ID: 10353
Summary: No TLS connection on Windows because of missing
ENOTCONN in socket.h
Product: OpenLDAP
Version: 2.6.10
Hardware: All
OS: Windows
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: julien.wadel(a)belledonne-communications.com
Target Milestone: ---
On Windows, the TLS connection cannot be done and we get the connection error:
Can't contact LDAP server.
=> Connections are done with WSAGetLastError().
After getting WSAEWOULDBLOCK, the connection is not restart because of the
state WSAENOTCONN that is not known.
OpenLDAP use ENOTCONN that is set to 126 by "ucrt/errno.h" while WSAENOTCONN
is 10057L.
Adding #define ENOTCONN WSAENOTCONN
like for EWOULDBLOCK resolve the issue.
Reference commit on external project:
https://gitlab.linphone.org/BC/public/external/openldap/-/commit/62fbfb12e8…
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10352
Issue ID: 10352
Summary: minor: Improve documentation of option "-n" for
ldapdelete
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: u.windl(a)ukr.de
Target Milestone: ---
The documentation for option "-n" in ldapdelete says:
"Show what would be done, but don't actually delete entries.
Useful for debugging in conjunction with -v."
However using option "-n" without option "-v" does not output anything!
So the description should be improved, or "-n" should implicitly enable option
"-v".
Specifically it's not obvious what "Useful for debugging in conjunction with
-v." refers to.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10350
Issue ID: 10350
Summary: Free ch_calloc-allocated memory in error paths
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: alexguo1023(a)gmail.com
Target Milestone: ---
Created attachment 1079
--> https://bugs.openldap.org/attachment.cgi?id=1079&action=edit
Free ch_calloc-allocated memory in error paths
1. In aa_operational, bv_allowed and bv_effective are allocated via ch_calloc.
If ja == 0 or je == 0, these memory objects are never freed and do not escape
the function, causing potential memory leak.
2. In memberof_db_init, the memory allocated by ch_calloc isn’t released on
error paths, leading to another potential leak.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10351
Issue ID: 10351
Summary: olcSaslHost lacks default value
Product: OpenLDAP
Version: 2.5.13
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: fredrik(a)falk-net.se
Target Milestone: ---
I'm trying to configure multi-master replication with SASL for cn=config and
some other databases. However, I'm running into an issue with GSSAPI/SASL as it
also syncs olcSaslHost, which has to be unique to each host in order to work.
I'd like if olcSaslHost was left empty then it'd default to the hostname/FQDN
of the host running slapd, which would resolve the issue.
This issue has been encountered before:
https://www.openldap.org/lists/openldap-technical/201508/msg00124.htmlhttps://www.openldap.org/lists/openldap-technical/201001/msg00048.html
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=6083
--- Comment #5 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
On Wed, Jun 04, 2025 at 10:59:16AM +0000, openldap-its(a)openldap.org wrote:
> PS: and I would like to check, if a password is compromised. I already have an
> external checker for this. It just needs an interface to OpenLDAP. Information
> about compromised passwords and it's importance can be found at
> https://haveibeenpwned.com/
Hi Heiko,
if that's what you need, you could write your own policy checker
wrapper. If you feel you can design an interface fit for wider use, you
can even submit it for inclusion and it will be considered.
But remember the slapd-sock overlay exists already and should be able to
intercept the password change just fine if you don't need access to the
rest of the entry being changed.
Thanks,
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=6083
--- Comment #4 from Heiko Zelt <hz(a)heikozelt.de> ---
PS: and I would like to check, if a password is compromised. I already have an
external checker for this. It just needs an interface to OpenLDAP. Information
about compromised passwords and it's importance can be found at
https://haveibeenpwned.com/
--
You are receiving this mail because:
You are on the CC list for the issue.