--On Friday, June 27, 2008 12:41 AM +0000 hyc@symas.com wrote:
Howard Chu wrote:
zdi-disclosures@tippingpoint.com wrote:
Full_Name: Cameron Hotchkies Version: 2.3.41 OS: Gentoo Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (66.179.208.36)
This vulnerability allows remote attackers to deny services on vulnerable installations of OpenLDAP. Authentication is not required to exploit this vulnerability.
Thanks for the report, a fix is now in HEAD. Please test.
For future reference, it looks like this may have crept in in 2001, rev 1.88/ITS#2465...
2003, not 2001?
1.88 Thu Apr 24 00:10:18 2003 UTC; 5 years, 2 months ago by hyc Changed since 1.87: +3 -3 lines Diffs to 1.87 (colored diff)
ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len) which should be at most 8 bytes. However if we read more than the minimum message length, we have a problem because we steal bytes from any following message, and there is no buffer mechanism to push back excess data. The shortest legitimate message is Unbind at 7 bytes, but there shouldn't be anything following it. Abandon at 8 bytes is next, so always requesting at least 8 bytes should be safe. Always requesting 9 was a problem.
Please double-check these assumptions...
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration