Full_Name: Lexi Haley Version: 02/20/2020 trunk commit 299fb490a27e7b0e5a60464e33f5ea04d00f0f7c OS: CYGWIN on Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (208.206.3.188)
Using clients/tools/ldapsearch to interact with my company's active directory, and I receive a segfault, in libraries/liblbver/decode.c . the 'gist' of the command I executed was:
ldapsearch.exe -h companyADserver -b cn=users,dc=company,dc=com -s sub '(cn=z*)' cn
the gdb backtrace is (omitting all the (arg=val) items for brevity:
#0 ber_get_stringbvl (...) at decode.c:445 #1 0x0000000100435781 in ber_scanf (...) at decode.c:820 #2 0x000000010041a605 in ldap_get_attribute_ber (...) at getattr.c:149 #3 0x0000000100401d93 in print_entry (...) at ldapsearch.c:1758 #5 0x000000010043bfd7 in main (...) at ldapsearch.c:1510
and digging around - here is what I see going on. in decode.c, during the ber_get_stringbvl function, the passed in b (aka cookie from caller), has the following values:
{choice = BvOff, option = 0, siz = 1, off = 4294967296, result = 0x800055410}
notice that off is 0x100000000 - a likely ridiculous (and thus a possible MAGIC)
value. examining in ber_scanf, looking at the memory for the va_args - i.e. examining ap - I see (sure enough) 0x100000000...
As a hacky temporary workaround - I added to my ber_get_stringbvl , before even
pulling the tag:
} res;
+ if (b->off == 0x100000000) + return LBER_DEFAULT;
tag = ber_skip_tag( ber, &bv.bv_len );
I did try rewinding my source back to OPENLDAP_REL_ENG_2_4_40 (2014) and then to
OPENLDAP_REL_ENG_2_4_30 (2012) - and both compilations still yielded the segfault error I described above.
I'm afraid I do not know much about ldap or active directory - so I easily might be omitting something relevant, and/or completely missing the mark in different ways.
Feel free to ask me for more information, and/or suggest what I might try out.
Thanks, Lexi