daniel@haxx.se wrote:
Full_Name: Daniel Stenberg Version: any OS: Linux URL: Submission from: (NULL) (178.174.211.173)
The function ldap_get_attribute_ber() is called to get attributes, but it turns out that it can return LDAP_SUCCESS and still return a NULL pointer in the result pointer when getting a particularly crafted response.
This was a surprise to us and to curl, as this caused us a security vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html
- There's no man page nor online resource to read the docs for this function so
its really hard to figure out this fact.
- This behavior is surprising, and this flaw was even written by someone very
familiar with OpenLDAP, indicating it is unintended or at least not the normal path.
It's actually normal; if you issue a search and specify attrsonly, the results will only contain attribute names and no values. (e.g. using ldapsearch -A)
As such, returning LDAP_SUCCESS with a NULL value is correct.
Unfortunate oversight on my part when writing that curl patch.
Looking at the mitigation you've applied, I'm not sure it's correct. In particular, you're terminating the loop when you receive a NULL value, but there may actually be multiple attributes present (with no values on any of them) and you ought to continue iterating through them all.
- Due to the above two points, I believe there's a risk curl is not the only
application in the world that had this bad assumption and thus this might be a lurking security issue in more projects.
/ Daniel